Building a Tokenized Solution for the Future of Open Banking

What is Tokenization?

Tokenization is the process of converting sensitive data into a non-sensitive equivalent, called a token. The token is a reference that maps back to the sensitive data through a tokenization system. This allows businesses to protect sensitive data while still being able to use it for business purposes.

Tokenization is often used to protect sensitive data such as credit card numbers, social security numbers and other personally identifiable information (PII). It can also be used to protect other types of sensitive data, such as healthcare records, financial data and intellectual property.

There are two main types of tokenization.

• Front-end tokenization: This type of tokenization is performed by the user before the data is transmitted to a server. For example, when you use a credit card to make an online purchase, the merchant may use front-end tokenization to replace your credit card number with a token before it is sent to the payment processor.
• Back-end tokenization: This type of tokenization is performed by the server after the data has been received. For example, a merchant may use back-end tokenization to store customer credit card numbers as tokens in their database.

Benefits of Tokenization

Tokenization has a number of benefits, including:

• Improved data security: Tokenization helps to protect sensitive data from unauthorized access and theft. Even if a token is compromised, the original sensitive data cannot be accessed without the relevant authentication credentials.
• Reduced compliance costs: Tokenization can help organizations to comply with data protection regulations such as the General Data Protection Regulation (GDPR). By tokenizing sensitive data, organizations can reduce the amount of sensitive data that they need to store and protect.
• Improved operational efficiency: Tokenization can help organizations to improve their operational efficiency by reducing the need to manually process sensitive data. For example, a merchant can use tokenization to automate the processing of credit card payments.

What is the Secure Exchange Solution?

Tokenization is the core technology behind the Secure Exchange Solution – our solution for sharing sensitive information between Dwolla’s API and trusted third parties’ APIs. Instead of returning sensitive financial data from the Dwolla API in its original form, we replace it with unique tokens – essentially, secret codes that only Dwolla and its partners can understand. Today, those partners include MX, Plaid, Finicity (Mastercard’s U.S. open banking arm) and Flinks.

For example, let’s say one of our clients wants to use a third party data provider to verify a customers’ bank account ownership before letting them transact on their platform. The client can verify the account information the customer provided with the third party data provider first, then generate a “token” with the provider which encapsulates the necessary permissions that Dwolla needs to obtain sensitive details from the provider. Dwolla then receives and stores that token via an exchange, obtaining authorization to retrieve sensitive data from the provider on behalf of the mutual client.

This approach allows data to be shared without exposing any confidential information, making it significantly more secure compared to traditional data sharing methods. Even if the tokens are intercepted by bad actors as they’re being exchanged, it’s impossible for them to be converted to the original information without the relevant authentication credentials.

In essence, the solution empowers businesses to share data with confidence, safeguards sensitive information, streamlines processes and enhances security in the realm of open banking and financial data exchange.

Creating Flexibility Between Third Party Data Providers

One of our highest priorities when creating the Secure Exchange Solution was building in flexibility that allowed our clients to pick the right combination of third party data providers for their use case.

Our engineering team found that most data providers offer an API endpoint that can be used to verify bank accounts. So, they designed the Secure Exchange Solution to collect and store the information needed to call the endpoint. Then, they created a separate service method to utilize an “exchange” to perform the action needed to create a verified bank account within the Dwolla platform.

Because these pieces of the process are separated out, it’s easy to add new functionality to the Secure Exchange Solution without having to rework the underlying code. For example, if we want to add support for a new data provider, we simply need to add a new service method to return the data needed for that provider. (This also makes it easy for clients to switch data providers if needed. All they have to do is change the request body that defines the creation of the Secure Exchange to designate a different provider. They don’t need to integrate with a new endpoint or write any new code.)

That being said, each data provider has its own unique data requirements, validation requirements and API practices, making it more difficult to create an interoperable solution. To solve this challenge, we created what’s called a “Proxy Model.” Our interface is consistent with what our solution needs from the data providers, and then we create a proxy for each data provider that implements this interface.

Essentially, Dwolla manages additional complexity so that the mutual client doesn’t have to by using a proxy which buries all of the provider-specific logic, such as the data requirements and API practices. When we add a new data provider, we can reuse 80% of the existing code, such as the code for taking in data and returning data from our systems. The only code that we need to write specifically for the new data provider is the code for the proxy. This makes it very efficient to add new data providers to the Secure Exchange Solution.

We are excited to continue to prove the efficiency of the design as we bring more data providers into our network. It is flexible enough to work with a variety of third-party data providers, and it makes the integration process virtually the same for our clients, no matter which data provider they select.

The Future of the Secure Exchange Solution

Right now, the Secure Exchange Solution can be used to verify bank accounts, but it’s capable of so much more. It’s flexible enough to treat everything as a secure exchange.

The Secure Exchange solution prioritizes flexibility that allows us to bring on new data providers without building a new product each time. The agility with which we can add new partners and new functionality to our Secure Exchange solution aligns with one of our core values: We are never done.

In the future, we see the Secure Exchange Solution being used for a variety of purposes, including:

• Verifying bank accounts for new customers
• Performing fraud checks
• Helping with risk assessment
• Accessing other financial data from third-party data providers

The reduction in complexity and time investment on our end allows us to remain nimble and make continuous improvements to the solution. We’re able to knock out a new integration in days and treat expanding functionality as “continuous improvements” rather than an entirely new effort. 

As we grow and expand our offerings, that same flexibility will be offered to our clients and partners. They’ll be able to configure a solution to meet their needs, with everything connecting together under the umbrella of the Secure Exchange Solution.