Open finance identity verification is becoming a governance issue

At a glance

What this is: This is a Sumsub membership update arguing that open finance needs stronger identity verification and fraud controls as consumer-permissioned data access expands.

Why it matters: It matters because IAM, fraud, and governance teams must align identity verification, consent, and access decisions across human users and the non-human systems that move financial data.

By the numbers:

• Open finance adoption is accelerating across North America, and FDATA represents more than 30 financial technology companies and consumer-permissioned data access platforms in the United States and Canada.
• Sumsub says sophisticated fraud rose by over 180% last year, raising the pressure on identity verification in permissioned data access flows.

👉 Read Sumsub's update on joining FDATA to support open finance identity controls

Context

Open finance depends on controlled data sharing, but that model breaks down when identity proofing, consent, and access delegation are handled as separate problems. In practice, consumer-permissioned financial data access becomes an identity governance issue as soon as multiple apps, institutions, and intermediaries touch the same user relationship.

For IAM and fraud teams, the real question is not whether data portability exists. It is whether the identity and access layer can preserve trust when financial data moves across ecosystems that combine human consent, application access, and regulated third-party relationships.

As data portability frameworks such as CFPB Section 1033 gain attention, the operational challenge is to keep permissioned access auditable without turning every transaction into a manual review exercise. That tension is familiar to teams managing delegated access, even when the primary actor is a human consumer rather than an NHI.

Key questions

Q: How should organisations govern consumer-permissioned financial data access?

A: Organisations should govern consumer-permissioned access as a lifecycle problem, not a one-time consent event. That means binding identity proofing, access scope, revocation, and third-party accountability into the same control model. If any of those elements are separate, the user may still have 'given consent' while the system has lost the ability to prove, limit, or withdraw that permission safely.

Q: Why does open finance increase identity verification requirements?

A: Open finance increases verification requirements because the identity check now decides whether data or transaction authority should be released across multiple parties. A weak verification step can turn a valid-looking request into a fraud path. Teams need assurance strong enough to support both data sharing and the governance decisions attached to it.

Q: What do security teams get wrong about permissioned data access?

A: The common mistake is treating permissioned access as a compliance checkbox instead of an operational control. In practice, the hardest part is maintaining scope, monitoring third-party use, and revoking access quickly when risk changes. Without those controls, permissioned access can become persistent access by another name.

Q: How should IAM and fraud teams handle write access in open finance?

A: IAM and fraud teams should treat write access as a higher-risk entitlement with its own policy, verification, and approval path. Write permissions can change account state, create liability, or trigger monetary movement, so they need stronger controls than read access. The safest model is separate governance for observation and action.

Technical breakdown

Consumer-permissioned access and delegated trust

Consumer-permissioned financial data access is a delegated trust model. The user authorises one party to obtain or write data through a chain of APIs, institutions, and intermediaries, which means the security model depends on accurate identity binding, consent scope, and policy enforcement at each handoff. If those controls are weak, the ecosystem may still appear functional while exposing data beyond the original permission boundary. In open finance, the hard part is not moving data. It is proving that the identity attached to the request still matches the permission that was granted.

Practical implication: map every delegated access path to a clear consent owner, access scope, and revocation point.

Fraud resilience in identity verification workflows

Identity verification is doing more work in open finance than simple account sign-in. It sits at the junction of anti-fraud, access eligibility, and regulatory trust, especially when institutions have to distinguish a legitimate consumer from synthetic identities, account-takeover attempts, or credential abuse. When fraud rates rise, the verification layer becomes a control for risk acceptance, not just onboarding. That changes the governance conversation from 'Can we verify this person?' to 'Can we trust this request enough to release data or permit write access?'

Practical implication: treat verification outcomes as access decisions and feed them into downstream policy controls.

Write access is the governance edge

Write access is materially different from read-only access because it can create financial movement, alter account state, or trigger new liability. In open finance ecosystems, write-access workflows require stronger policy design than basic data retrieval because the blast radius of a bad decision is larger and harder to unwind. That is why working groups focused on write access matter: they define where consent, authentication strength, and transaction risk must converge before action is allowed.

Practical implication: separate read and write permissions in policy design and apply stronger controls to write-capable flows.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Open finance is turning consumer consent into an identity governance problem. The article frames secure data access as a trust and compliance issue, but the deeper reality is that consent alone does not govern the full access lifecycle. Once multiple platforms, aggregators, and institutions participate, teams need to know who can act, on whose behalf, and under what revocation conditions. That is classic identity governance, just applied to a cross-ecosystem consent chain rather than a corporate directory.

Fraud-resistant identity verification is now part of the control plane for permissioned data access. Sumsub’s internal fraud signal is a reminder that verification cannot be treated as a one-time onboarding step. In open finance, the verification result determines whether data should move at all, which makes it a policy input rather than a standalone fraud checkpoint. Practitioners should read this as a shift from static identity proofing to continuously relevant access assurance.

Consumer-permissioned access creates a delegated identity model that traditional IAM often models too narrowly. The user is human, but the access path is operationalised by APIs, third parties, and sometimes downstream automation. That means governance has to span human identity, application entitlements, and third-party access lifecycle controls in one view. The field should stop treating open finance as a narrow fintech compliance topic and recognise it as a broader identity delegation pattern.

Write access is the named concept practitioners should watch: the governance edge where consent becomes action. Read access can be tolerated with lighter policy, but write access changes the risk model because it can mutate financial state and create irreversible downstream effects. The governance question is not just whether access was granted, but whether the control framework distinguishes safe observation from actionable authority. Teams should treat write-access policy as a separate governance domain.

From our research:

• NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why delegated access problems often persist unseen.
• That visibility gap matters here because open finance ecosystems increasingly rely on third-party and API-mediated access, so teams should compare this topic with Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Consumer-permissioned finance will force IAM teams to think beyond user authentication. The control problem shifts toward delegated authority, revocation certainty, and third-party accountability, which are all familiar in NHI governance even when the end user is human. Teams that already struggle with lifecycle visibility will recognise the same pattern in open finance, just expressed through consent APIs and partner ecosystems.

Write-access governance is becoming a boundary issue for identity programmes. When organisations cannot clearly distinguish read-only data sharing from action-capable permissions, their control model is already too coarse. Practitioners should expect stronger scrutiny of consent scope, proofing strength, and operational revocation, especially where regulated financial data can be altered rather than merely viewed.

More than 30 financial technology companies and consumer-permissioned data access platforms are already represented in FDATA, according to the association’s membership profile. That level of ecosystem participation suggests the governance challenge is no longer theoretical. Teams should prepare for broader policy alignment, clearer third-party access lifecycles, and tighter links between fraud detection and access authorisation.

For practitioners

• Map delegated consent chains end to end Document every party that can receive, transform, or reuse consumer permission in open finance flows. Include revocation triggers, data scopes, and the point where the original consent no longer covers the transaction.
• Separate read and write policy paths Apply stricter authentication, verification, and approval rules to write-access flows than to read-only access. Use distinct policy logic so a data access grant cannot automatically imply transaction authority.
• Feed fraud signals into access decisions Treat verification outcomes as inputs to real-time authorisation, not just onboarding records. When fraud confidence changes, the access decision should change with it before data release or write execution.
• Build third-party lifecycle controls for data access partners Track when aggregators, apps, and platform partners are onboarded, reviewed, downgraded, and offboarded. Permissioned finance fails when external access outlives the business relationship or the approved scope.

Key takeaways

• Open finance is a governance problem as much as a data-sharing model, because consent without lifecycle control does not prevent misuse.
• Rising fraud pressure makes identity verification a policy input, not just an onboarding step, especially when access can lead to financial action.
• Practitioners should separate read and write authority, then build revocation and third-party accountability around the more dangerous path.

Key terms

• Consumer-permissioned access: A delegated access model in which an individual authorises a third party to retrieve or act on financial data on their behalf. The security challenge is not the permission itself, but proving that the scope, duration, and revocation of that permission remain valid across every participating system.
• Write access: A permission that allows a system or application to change account state, initiate financial action, or otherwise mutate records rather than simply read them. In identity governance terms, write access carries a larger blast radius and requires tighter policy, stronger verification, and more explicit accountability than read-only access.
• Identity verification: The process of establishing that a person or entity is who it claims to be before access is granted. In open finance, verification is not just an onboarding control because it directly influences whether data can move, whether a transaction can proceed, and whether downstream parties should trust the request.
• Delegated trust chain: The sequence of systems, intermediaries, and policies that carries a consumer’s permission from the original request to the final data exchange or transaction. This chain is only as strong as its weakest handoff, so governance must cover scope, revocation, and third-party accountability end to end.

Deepen your knowledge

Open finance identity verification and delegated access control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for consumer-permissioned data access, it is worth exploring.

This post draws on content published by Sumsub: Supporting the open finance ecosystem alongside FDATA members to advance secure, consumer-permissioned financial data access in North America. Read the original.