Safeguarding Your Transactions: The Power of Bank Account Tokenization

The payments landscape is changing rapidly in the quest to delight customers, enhance efficiency and ensure security. The use of tokens in place of card numbers (and more recently, DDA account numbers) is a popular mechanism to protect sensitive customer information. Tokenization is well established for card-based payments, propelled by payment methods such as Apple Pay. With the increase in account-based push payment methods, there is a growing need to secure sensitive bank account numbers. Let’s explore the current state of account number tokenization.

Why tokenize?

Tokens can enhance Open Banking flows by providing a way to protect the underlying account when sharing payment information with third parties, as it is impossible to derive the actual account number from the randomly generated token. Additionally, the token’s usefulness is limited to the context within which it is shared. For the account holding bank, the destruction and token reissue process are far easier than closing and opening bank accounts.

In addition to enhancing account security and reducing fraud risk, tokenization can speed up the payment process, especially for recurring payments. Customers experience less friction when submitting a tokenized payment due to fewer prompts to re-enter bank account details.

Implementation of tokens can also help a bank build customer trust by demonstrating a strong commitment to keeping sensitive account data secure. Prioritizing privacy and data security can improve customer perceptions of a bank and boost customer retention. Consumers may be given more control over their tokenized data, allowing them to manage which entities can access their information and under what conditions.

International token adoption

Countries with an advanced financial sector and established FinTech presence lead in tokenization adoption. Tokenization in the EU and the UK is well established, particularly in support of open banking. Tokenization is in the early stages in many countries throughout Asia, the Middle East, Africa and Latin America. Tokenization adoption is hindered in some areas due to inadequate technological infrastructure, legacy system integration challenges and limited access to digital financial services. Additionally, regions with strict data protection laws (such as the EU, UK and India) push for tokenization as a means of compliance. In the EU, PSD2 (Payment Services Directive 2) and the GDPR (General Data Protection Regulation) have established compliance requirements to ensure privacy and security of customer data. US financial regulators have taken a market-oriented stance, with the CFPB (Consumer Financial Protection Bureau) following a ‘principles-based approach’ for promoting privacy and data security best practices. Regulations in other countries, such as Brazil’s GDPL (General Data Protection Law) and South Africa’s POPIA (Protection of Personal Information Act), encourage tokenization for data security.

Token service providers and acceptance in the US

In the US, TCH (The Clearing House) provides a Token Service to banks to enhance the security of account data sharing and funds transfers. Banks can either connect directly to the Token Service via an API to incorporate tokens into existing data sharing flows or use a third-party technical agent to request tokens and connect to multiple aggregators. For checking or savings account number tokenization, the resulting Tokenized Account Number (TAN) replaces the actual ABA Routing Number and Account Number. The TAN can then be used for secure ACH (Automated Clearing House) or RTP (Real Time Payment) payment requests. Several large banks have successfully implemented DDA tokenization including Bank of America for online banking services and digital transactions and Chase for payment systems such as ACH transactions. Key FinTechs or third-party service providers that support tokenization of bank account numbers include Fiserv, PayPal and Stripe.

Tokenization’s role in the payments ecosystem – today and tomorrow

Tokenization has gained popularity in a variety of domains beyond payments, such as protection of health information, digital assets and real-world assets. Within the payments context, tokenization has had a significant impact in protecting card information. Bank account-based payment mechanisms continue to gain popularity and account numbers, much like card numbers, are considered sensitive information that should be protected. Tokenization offers a demonstrably proven technique to achieve this protection that ultimately benefits both the bank and the account holder. Learn more about the latest perspectives on our Banking and Financial Services Consulting page.