Accountability sits with both the bank and the third party, but the bank remains responsible for how access is granted, scoped, monitored, and revoked. Governance frameworks should define ownership before launch, not after an incident. That is the only way to make external access auditable and enforceable.
Why This Matters for Security Teams
Third-party open banking access is not just a vendor risk problem. It is an identity and authorization problem with regulatory and operational consequences. If a fintech, aggregator, or SaaS partner misuses access, the immediate question is not only who caused the misuse, but who defined the scope, monitored the session, and could revoke it in time. Current guidance from the OWASP Non-Human Identity Top 10 and NHIMG’s Ultimate Guide to NHIs both point to the same operational reality: shared access does not mean shared accountability.
In open banking, responsibility is distributed, but accountability must be explicit. The bank typically owns the control plane for access grant, scope enforcement, monitoring, and revocation, while the third party owns how it uses the access it receives. That distinction matters because misuse often happens through valid credentials and approved interfaces, not through obvious compromise. NHIMG’s research notes that 92% of organisations expose NHIs to third parties, which makes governance before launch far more important than post-incident blame.
In practice, many security teams discover accountability gaps only after a partner has already over-read accounts or replayed permitted APIs in unintended ways, rather than through intentional design of the integration boundary.
How It Works in Practice
Accountability starts with the access model. For open banking integrations, the bank should define the allowed data categories, API scopes, consent boundaries, session duration, and revocation triggers before the third party ever receives production access. That is the practical meaning of owning the authorization decision. The third party remains accountable for using access only within those boundaries, but it cannot be treated as the sole control point because it does not control issuance, visibility, or enforcement at the bank side.
A workable model usually includes:
- pre-approved scopes tied to a specific business purpose, not broad standing access
- time-limited credentials and tokens with clear expiry and renewal rules
- logging that records which party acted, on which account, under which consent
- continuous review for anomalous query patterns, data harvesting, or tool chaining
- documented offboarding so access can be revoked when contracts, consent, or risk posture changes
For identity governance, this aligns with the NHI lifecycle guidance in NHIMG’s Ultimate Guide to NHIs – Key Challenges and Risks, especially where third-party access behaves like a service account or API identity. The bank should also rely on standards-based identity proofs and policy enforcement, not informal trust. That is why OWASP Non-Human Identity Top 10 and current NIST AI Risk Management Framework guidance both emphasize lifecycle control, traceability, and accountable governance.
When this model is implemented well, the bank can answer three questions fast: who approved access, what the third party was allowed to do, and whether the actual use stayed within the approved envelope. These controls tend to break down when contracts define commercial responsibility but leave technical ownership of scopes, tokens, and revocation paths unclear.
Common Variations and Edge Cases
Tighter access control often increases integration overhead, requiring organisations to balance partner friction against auditability and customer experience. That tradeoff becomes especially visible in open banking ecosystems where multiple entities touch the same consented dataset and no single party sees the full transaction path.
There is no universal standard for every accountability dispute yet, but current guidance suggests a few recurring patterns. If the third party is acting strictly as a processor under bank-defined instructions, the bank usually retains primary accountability for access governance. If the third party reuses data for its own purposes, it may become independently accountable for misuse, even if the bank issued the original access. If a sub-processor or downstream API aggregator is involved, responsibility can fragment further, which is why contract language alone is not enough.
Security teams should treat these cases as NHI governance problems, not just legal ones. The strongest practical control is to bind identity, consent, and scope together so the access path is auditable from issuance through revocation. NHIMG’s 52 NHI Breaches Analysis shows how quickly non-human access can become an incident when ownership is vague and revocation lags. In short, the bank can delegate usage, but it cannot delegate responsibility for the access model itself.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Third-party access is an NHI governance and ownership problem. |
| NIST CSF 2.0 | PR.AC-1 | Access approvals and enforcement map directly to identity governance. |
| NIST CSF 2.0 | DE.CM-1 | Misuse detection depends on continuous monitoring of third-party activity. |
Define, approve, and continuously review third-party NHI ownership, scope, and revocation paths.
Related resources from NHI Mgmt Group
- Who is accountable when third-party cloud access is abused in a data breach?
- Who is accountable when third-party access remains active after the task is complete?
- How should banks govern third-party access to open banking APIs?
- Who is accountable when a third-party notices suspicious identity activity first?
