November 21, 2023

Account number tokenization: The next phase of consumer protection

Digital payment markets across the globe continue to rise. We see significant growth and usage in the U.S., particularly with the Real Time Payments (RTP) network from The Clearing House (TCH) and with ACH transfers being at an all-time high.  

The expansive growth leads to an increase in fintechs relying on these payment networks to successfully send and receive payments. While the ability to take advantage of digital payments is incredibly beneficial – it also poses several lesser-known risks.  

To initiate a payment, consumer payment credentials (which include bank account numbers and routing numbers) are often captured, proliferated, and stored by third parties - opening the door for potential breaches. 

More than 71,000 bank frauds were reported in the first half of 2023 alone. Moreover, in the case of a data breach, changing a consumer’s account information is complicated and costly due to how widely the account numbers are used. In their Cost of a Data Breach 2023 report, IBM estimated the cost in the financial services industry to be $5.9 million per breach, with customer's personally identifiable information (PII) being the costliest and most common record compromised at $183 per record. 

While banks, fintechs, and aggregators continue to make progress toward removing login credentials from the ecosystem and sunsetting screen-scraping practices, relatively little has been done to eliminate payment credentials.  

Akoya understands that tokenized account numbers can mitigate these risks, reduce costs, and deliver the protection consumers deserve. 

 What is account number tokenization? 

The “tokenization” process consists of issuing a payment token to a third party (e.g., a fintech app) to stand in for the actual account number of a financial account. A token is often a random string of numeric or alphanumeric characters and represents nothing by itself. The token is mapped to the real account number and the mapping is stored separately, in a vault at a trusted party. 

Group 2155 (1)

Tokenization is not new and has been used for a long time by card schemes (e.g., wallets, cards on file, tap to pay, etc.). Account number tokenization for bank rails has also existed, with two main types of tokens: 

  • Bank issued tokens: the financial institution creates a token on its own using their in-house tokenization engine; the token is then de-tokenized when the payment returns back  to the bank. This requires the bank to build, manage, and maintain their own tokenization engine.  
  • Processor/aggregator issued tokens: the fintech app payment processor or data aggregator creates a token before sharing it with them. These are then required to be sent back to the processor or data aggregator to be de-tokenized before being sent to the payments network. 

Both traditional approaches only work in a “closed ecosystem” and lack interoperability. This limits the adoption at scale and either requires a bank to build these capabilities in-house or relies on a third-party vendor to manage the sensitive mapping. Click here to learn more about the mechanics of tokenization. 

The value of tokenization 

Account number tokenization offers incremental value to all participants in the Open Finance ecosystem. 

For consumers, tokenization provides a simpler, safer payment experience across all applications. In the event of an account being compromised, account number tokens have domain controls and can easily be suspended, limiting the impact on the financial profile of the consumer. Any scenario that requires payment credentials to be stored (e.g., recurring bill payments) will see improved security and a decrease in risk. 

For merchants, it is business-as-usual. A fintech app, for instance, can leverage a tokenized account number to create an ACH debit transfer from a consumer bank account, the same way they do today. An app can enable a consumer to fund a new bank account and allow for funds to be credited using a payment initiated with a token. 

For financial institutions, tokenization further mitigates risks. The mapping between a token and the corresponding account number is stored separately in a secure vault and is validated during payment processing by the network. One or many tokens can systematically be suspended and replacing tokens is easier and less expensive than replacing real account numbers.  

Akoya’s tokenization solution

Akoya and TCH have partnered to bring a network, scalable approach to account number tokenization that helps financial institutions and fintechs to adopt tokenization at limited to zero effort on their part. 

Akoya’s Payments product integrates with TCH’s token services for select financial institutions on our network. As leaders in Open Finance, we design and build solutions centered on consumer safety and best practices.  

For fintechs and companies using the Akoya network to access consumer data, this is seamless. Due to the tokens ability to be de-tokenized by the network directly, participants on the Akoya network do not have to change their payment processing services to benefit from tokenization.  

For financial institutions that have already integrated with Akoya, adding tokenization via existing connection requires no additional tech development, as real account numbers are swapped and replaced with tokens provided through TCH's token services. This is done through a connection between Akoya and TCH, and real account numbers are replaced prior to Akoya sending them to the Open Finance ecosystem. 

Tokenized account numbers can be leveraged in many user journeys from account funding to using pay-by-bank services to make a purchase. Companies can leverage the power of Open Finance for additional steps of their user experiences—check out recent posts on account linking or account verification

If you are interested to learn more about how the solution works, how we integrate with TCH, and how the de-tokenization process works, please reach out to us. 

Topics: Blog

Related articles headline.

Blog

Reducing complexity in Open Banking regulatory compliance

With the issuance of the CFPB 1033 final rule in late October 2024, the countdown toOpen Banking compliance has.

Blog

How Akoya’s managed services help ensure CFPB 1033 rule compliance

Financial institutions have begun their efforts to comply with the Consumer Financial Protection Bureau’s Section 1033.

Blog

Final CFPB 1033 rule: Challenges and opportunities for financial institutions

In our webinar, "It’s time to act. Prioritize CFPB 1033 compliance for your customers," Open Banking experts from Akoya.