What Is Open Banking?
How APIs Are Changing the Way We Bank
Open banking is changing the way people and businesses interact with financial services. At its simplest, open banking means that customers can securely share their financial information with third-party companies through application programming interfaces (APIs). With the customer’s consent, these APIs allow new services to be built on top of existing bank data and infrastructure ranging from budgeting apps to embedded payments and lending products.
Unlike traditional banking, where services were only accessible through a bank’s own channels, open banking creates a network of connected institutions, fintechs, and service providers. This shift not only drives innovation but also creates new responsibilities for banks to secure data and manage risks.
Real-World Examples of Open Banking in Action
Established banks:
BBVA launched one of the first developer portals that allows partners to connect to APIs for payments, account information, and even customer onboarding.
JPMorgan Chase has invested in open APIs to better connect corporate clients and fintech partners, especially in treasury and payments.
Fintechs and aggregators:
Plaid enables customers to link their bank accounts to apps like Venmo, Robinhood, and Mint. This is often a customer’s first experience of open banking in practice.
Neobanks such as Chime or Monzo (UK) rely heavily on open APIs to offer fast account opening, debit card services, and instant notifications.
Developer portals:
The most advanced banks now publish full developer ecosystems with documentation, sandbox environments, and test APIs that function much like technology companies do. These portals help partners build and test apps quickly, creating a marketplace of financial services.
“Modern banks must function as much like a technology company as they do a bank. If they don’t, they will fall behind.”
How APIs Work in Banking
Think of an API as a menu of actions or data requests that a bank exposes for trusted partners. Instead of logging into online banking, a third-party app uses an API call to request or update information on your behalf.
Here are some common examples of what banking APIs provide access to:
Customer information - Verify identity, retrieve profile details.
Account data - Check balances, see transaction history.
Payments - Initiate transfers, schedule bill payments.
Card services - Issue new cards, check card status, manage limits.
Lending - Apply for loans, check application status, retrieve payoff amounts.
In open banking, these APIs form the building blocks that other companies use to create new financial products and experiences.
On-Us vs. Off-Us Transactions
One area where APIs and open banking intersect with payments is the distinction between on-us and off-us transactions:
On-us: If you swipe your debit card from Bank A at a merchant who also uses Bank A as their bank, the transaction is entirely processed within one institution. It’s simpler, faster, and often cheaper.
Off-us: If you swipe your Bank A card at a merchant using Bank B as their bank, multiple institutions are involved. Data must move between banks and card networks (like Visa or Mastercard), creating more complexity and more places where security matters.
With open APIs, banks expose services to external fintechs, merchants, or service providers. That means more transactions effectively behave like “off-us,” requiring careful coordination, security checks, and monitoring to prevent fraud.
Banking-as-a-Service (BaaS)
Open banking has also enabled Banking-as-a-Service (BaaS), where a bank provides its regulated infrastructure to third parties through APIs.
For example:
A retail company could offer branded credit cards without becoming a bank itself.
A rideshare app could allow drivers to open accounts and receive instant payouts inside the app.
A fintech startup could launch a neobank by plugging into a sponsor bank’s BaaS APIs for deposits, payments, and cards.
In this model, the bank handles the regulatory and compliance requirements, while the third party handles customer experience. BaaS is a growing trend because it lets non-banks offer financial products, powered by the bank’s secure systems.
Fraud Prevention in an Open Banking World
Fraud prevention becomes more complex in open banking because banks are delegating key actions such as account creation, card issuance, or payment initiation to external partners.
This raises critical questions:
Where does identity verification (IDV) occur? If a rideshare app issues debit cards through a partner bank, is the app responsible for verifying the driver’s identity, or does the bank need to re-verify?
Who handles fraud detection? If a third-party initiates a payment via API, both the bank and the fintech must have fraud monitoring in place but they may use different systems and thresholds.
Shared accountability: Without clear agreements, fraudsters can exploit gaps between the bank and the fintech.
As a result, banks and their partners must establish strong controls for KYC (Know Your Customer), AML (Anti-Money Laundering), and ongoing transaction monitoring, even when the customer’s primary experience is through a third-party app.
Levels of Maturity in Open Banking
Banks rarely move from closed systems to full-scale open banking overnight. The journey often follows a maturity curve:
Foundational (Data Publishing)
Banks use hosted or vendor platforms to expose basic consumer account information in a standardized format.
Example: Providing third parties like LendingTree with access to deposit rates or loan offerings.
Transactional (Basic Services via APIs)
APIs expand to cover actions such as payments, card services, or loan applications.
Fintechs can not only view bank data but also act on behalf of customers.
Ecosystem (Embedded Finance / BaaS)
Banks provide full Banking-as-a-Service capabilities, enabling non-banks to embed financial services within their own apps.
This requires advanced developer portals, rigorous API security, and shared fraud prevention frameworks.
Each stage increases both opportunity and complexity. As banks mature, they must balance faster innovation with stronger governance, security, and operational coordination.
Build vs. Buy: How Banks Provide APIs
Banks face a key decision in how they deliver open banking services:
Build in-house: Some large banks invest in building their own APIs and developer portals. This gives them control and customization, but requires significant investment in software engineering, API management, and cybersecurity.
Use third-party platforms: Vendors such as Axway, Apigee (Google), or MuleSoft offer platforms that help banks manage APIs, developer access, and monitoring. These solutions speed up time-to-market but can create long-term vendor dependency.
The choice depends on a bank’s digital maturity, resources, and strategy.
Industry Standards: The Role of FDX in Open Banking
A critical part of open banking is the development of industry-wide standards for how data is shared securely and consistently. The Financial Data Exchange (FDX) is one of the leading groups in the U.S. creating a common API standard for financial data sharing.
FDX matters because:
Interoperability - Instead of every bank or fintech creating its own data-sharing format, FDX provides a standardized way for institutions and third parties to exchange information.
Security - FDX promotes stronger authentication, authorization, and encryption practices to reduce risks inherent in exposing financial data.
Compliance Alignment - While not a regulatory mandate, FDX helps banks prepare for requirements under Dodd-Frank Section 1033 by ensuring consumers have safe access to their data.
Ecosystem Participation - Large players like JPMorgan Chase and Wells Fargo, as well as fintechs like Plaid, have committed to adopting FDX standards, which signals where the industry is heading.
For banks considering how to approach open banking, adopting or aligning with FDX provides a way to future-proof integrations and reduce the risks associated with ad hoc or proprietary data-sharing solutions.
Security and Regulatory Considerations
While open banking enables new opportunities, it also introduces risks. Every new API increases the “attack surface” for bad actors. Without strong security, poorly designed APIs can expose sensitive customer information or create opportunities for fraud.
Regulation is catching up. In the United States, the Dodd-Frank Act Section 1033 will require banks to make consumer financial data available in an electronic form. This ensures customers have access to their own data, but it also raises challenges:
Liability gaps: If a customer shares data with a fintech that later suffers a breach, the originating bank may still be drawn into reputational or customer-service fallout—even if it wasn’t responsible.
Operational risks: Banks need controls for who accesses data, how much is shared, and how it’s secured once it leaves their systems.
Why It Matters
Open banking is no longer experimental, it is already shaping customer expectations. People want fast access to their financial data across apps, personalized services, and seamless payments.
Banks that can deliver secure, developer-friendly APIs will be positioned to lead. Those that delay will find themselves dependent on third-party aggregators or losing customer engagement to fintech competitors.
But innovation must go hand-in-hand with security. Open banking is a balancing act: create opportunity without creating new vulnerabilities.
This first article introduces the concept. Open banking is laying the groundwork for a more connected financial ecosystem in the U.S., but the landscape isn’t standing still. New protocols like Google’s AP2 are already redefining what secure, AI-driven payments could look like. The question now is whether U.S. banks will keep pace or whether fintechs, card networks, and neobanks will seize the lead. In my next post, I’ll explore what AP2 means for open banking and why banks need to act now. I will follow this by digging into, API Management, Dodd-Frank Section 1033, and what banks need to be doing to protect OpenBanking APIs. If you’re considering Open Banking or have already begun the journey and need help building a program around API protections and testing setup a free consultation.