Verified Account Token

Protecting Bank Data with Verified Web Tokens

If you don’t have a lot of experience using account tokens to protect bank data, you’re not alone. In our recent webinar, Protecting Bank Data with Verified Account Tokens, 90 percent of audience members we surveyed confessed that they were novices when it came to account tokens.

It’s critical to be aware of tokens though, since they’re increasingly being used to streamline and secure money movement processes and securely retrieve, verify, and share financial data. It’s why we made account tokens the focus of our webinar, and had Lloyd Fernandes, VP, Product Management, Envestnet | Yodlee speak to the benefits and best practices. You can view the on-demand webinar here.

Key Takeaways

The ongoing fraud epidemic

As Lloyd pointed out in our webinar, we all lived through the pandemic, and now we’re living through an ongoing fraud epidemic. Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud – an increase of more than 30 percent over the previous year. Of the more than 5.1 million fraud reports that the FTC received, the majority were related to investment scams and imposter scams.

The average organization now operates four platforms, so it’s not surprising that fraudsters are targeting them. According to PWC’s Global Economic Crime and Fraud Survey, 51 percent of organizations say they experienced fraud in the past two years, and fraudulent transfers to or from platforms accounted for more than three-quarters of these incidents. While the financial losses are severe, so is the damage to a company’s brands and reputations.

From smishing to phishing

Fraudsters are getting even more clever in the ways they obtain financial and personal data. While the names of fraud attacks may sound silly – like smishing and phishing, email and spear phishing, angler phishing, and whaling, obviously the results are anything but.

Financial data that requires protection includes account holder names, account types, full account numbers, full routing numbers, and account balances. Account tokens can be used to protect all of this data.

How data flows through the pipes

piped data

When users sign up for a financial app, the platform or app usually links to the user's bank account or other information to validate the account, confirm there are enough funds, etc. Data aggregation platforms link to various financial institutions to access and retrieve banking data with the user’s permission. Select banking data is then passed on to the consumer app or platform. Users signing up for multiple apps and platforms risk storing their data in multiple places. There's nothing wrong with that until a data breach occurs.

This is where account tokens come in. One effective way to prevent financial fraud associated with bank data is by leveraging account tokens.

So what is an account token, exactly?

Account tokens are formatted like a real account with an associated routing number and a generated account number from the token service provider vault, which is unique to tokens and each bank.

A token service provider (TSP) takes sensitive data like a PIN as an input and generates a surrogate value or token as output. This data and the token are stored in a token vault at the TSP. The result is that a merchant or independent software vendor (ISV) can store the token without worrying about the underlying sensitive data being exposed.

How are account tokens used in the real world?

Here are some examples of how and why account tokens are used:

  • Merchants or independent software vendors (ISV) store tokens instead of raw data within their environment so they don’t have to worry about PII data being exposed.
  • Financial institutions can turn off tokens or re-tokenize in case of fraud, without the inconvenience, hassle, and expense of closing and reopening an account.
  • FinTechs and consumer apps use tokens to simplify complex account verification processes by eliminating the need to store sensitive account information.
  • Token transactions are transparent and flow seamlessly through the network, whether it's a FinTech app, a corporate entity, or a biller. They also provide an additional layer of data protection at rest.

What is the difference between a token and encryption?

A few years ago, the financial services industry turned to encryption to combat fraud. However, this method only secures data at rest, rendering it more vulnerable when decrypted to make a payment and passed along in the payment flow. An account token, on the other hand, not only protects data at rest but also protects data in motion, because even though a token looks and flows through the network just like a real account, it isn’t. If a hacker or a breach happens at any point in the payment flow, it’s useless and can’t be used by an unauthorized party.

While encryption modifies account numbers, a token is a complete replacement of the entire bank account details. It includes routing and account numbers, and can even include ownership information. All of these different attributes are tokenized. You’d get one value for all these different attributes and you can exchange that token for the actual data attributes behind the scene.

Account tokens today and tomorrow

Account tokenization has been around for almost a decade, and has powered the Apple Pay ecosystem and other digital payments. In mid-2023, FedNow, the new real-time payments platform from the Federal Reserve, will be released in phases, and using tokens to mitigate the risks of financial fraud will be critical.

Introducing Secure Token Exchange

Secure Token Exchange (STE) is a new capability available for payments on The Clearing House’s (TCH) Real-Time Payment (RTP®) network. This service issues tokens for financial institutions’ account numbers. These tokens are used like real account numbers in the RTP network, which reduces the need for financial institutions’ account numbers to be stored outside the banking system.

Tokens and Nacha’s validation rule

Account tokens can also help organizations meet Nacha’s (National Automated Clearing House Association) web debit account validation rule. This rule requires ACH originators of WEB debits (internet-initiated transactions) to use a commercially reasonable fraudulent detection system that includes account validation.

Envestnet | Yodlee and account tokens

At Envestnet | Yodlee, we offer account token solutions to securely share the bank account data needed to initiate ACH transfers. Our verification solution utilizes our proprietary and patented technology to verify consumers’ accounts almost instantly while reducing risk, transaction fraud, and consumer onboarding friction.

Some takeaway tips:

Lloyd wrapped up the webinar with these best practices for those interested in tokens:

  • Consider data security and its costs. Think about fraud risks and security from different angles as well as the costs associated with it – like infrastructure, personnel, audits, etc, which continue to go up. Also consider ROI.
  • Focus on core competencies… delegate the rest to the best. If you're building a particular consumer app or feature functionality, focus on that and leave the rest to platforms that do specific tasks better. For example, is data storage beneficial at the end site or could it be pulled in or tapped into? If you rely on an external partner for payment processing, does your payment processor also support account tokens?
  • Stay aligned with best practices. The industry is changing. Bank tokens are being used across real-time payment networks, and larger FIs are trending towards that as well. So with this broad support, is your organization ready to adapt to industry best practices around account tokens? If not, what do you need to make it happen?

To view our whole webinar and hear all the questions the audience asked, click here.

To discuss account tokens and account verification and payment solutions with us, just reach out.