Definition
Open banking is a regulated framework that allows third parties to access financial account data and initiate payments with the account holder’s explicit consent. Identity in this context means verified digital identity that can be reused across services without repeated credential sharing.When it matters
Open banking and identity matter when a product relies on regulated data access, consent-driven flows, or trust infrastructure. This includes account aggregation, payment initiation, credit decisioning, KYC and onboarding, and any product that moves data or value between participants under a consent regime.How it works
The core mechanism is the consent and authorisation flow. An account holder grants a specific third party access to specific data for a specific purpose and duration. The bank enforces that grant via an open API. The identity layer verifies who is granting consent and that the consent is valid. Trust is built through: clear consent language, minimal data scope, short retention periods, and accountable use. Products that get this right reduce friction and build user confidence. Products that overreach face abandonment and regulatory risk.Practical steps
- Map the consent lifecycle: grant, use, revoke, expiry.
- Define the minimum data scope required for the use case.
- Design the user-facing consent flow for clarity and informed choice.
- Build or integrate the identity verification layer appropriate to the assurance level.
- Ensure data handling, storage, and retention match the consent scope.
- Prepare audit trails for regulatory review.
Examples
A credit decisioning product uses open banking to access 90 days of transaction history with the applicant’s consent. The identity layer verifies the applicant matches the account holder. The consent is time-limited and scoped to the credit application only.Common mistakes
- Requesting more data than the use case requires, reducing user trust.
- Treating consent as a one-time tick-box rather than an ongoing relationship.
- Underestimating the assurance and audit requirements for regulated identity use cases.
- Building without a clear data retention and deletion policy.
Key takeaways
Open banking is a consent and trust infrastructure, not just a data access mechanism. Identity quality determines what decisions can be made and what risk can be managed.Deep dives
- How consent design shapes open banking risk — consent lifecycle (grant, use, refresh, revoke, expire), PSD2/GDPR/FCA overlap, data scoping, and retention rules
- How to build open banking data products — from transaction data ingestion and categorisation through to scoring, commercial models, and multi-bank consistency
- Identity and trust infrastructure — bank-held KYC as verified identity, trust infrastructure components, assurance levels, and decentralised identity implications
- DirectID context — lessons from building the UK’s first AISP and 13 years of open banking product development
External references
- FDATA — Financial Data and Technology Association, co-founded to lobby for open banking regulation
- Open Banking Excellence — global open banking community co-founded by James Varga
- Innovate Finance — UK fintech industry body, founding member
- Boards and Affiliations — formal roles in open banking and fintech industry bodies
Related pages
- Fintech GTM — commercial system for fintech products
- Procurement and evidence packs — assurance requirements for regulated buyers
- AI in regulated markets — AI operating patterns in regulated environments
- Lessons from a FinTech — practical lessons from fintech operating experience
- Companies — DirectID and Money Dashboard company context
- The perfect storm for identity — PSD2, GDPR, and the identity convergence
- ID2020 Summit — self-sovereign identity and trust online
- Is AI the ‘new oil’? — how identity became the second “new oil”