Open banking has the potential to transform the way we use financial data and consume financial products. But the question of safety and security keeps popping up all too often. The technology has already prompted a mini-revolution and made life much easier. But most consumers are still wondering how safe their financial information will be if they opt in for open banking.
Although open banking is a piece of legislation and looks very shallow when you use the open banking platforms, it’s robust, featuring many layers of protection, as you’re about to see.
Table of Contents
What is Open Banking?
When you open a bank account, you provide the bank with various details and vital information to facilitate the opening of the account. The bank becomes the custodian of this information together with any information regarding your account, such as:
- Your account name
- Your transaction history
- Your regular payments
- Your biggest expenses and income
In 2018, open banking started with the Payments Service Directive, also known as PSD2. Under this regulation, policymakers in the EU and the UK monitored to give consumers and businesses more control over their finances by unlocking payment accounts through trusted third-party providers or TPPs. That’s how open banking was born.
Through open banking, consumers can access their financial data and use it through trusted providers authorised by the FCA.
For instance, you can verify your identity to access budgeting apps or for account aggregation. Businesses can also take and make payments online through open banking. As a result, it’s safer, with fewer costs compared to conventional methods like cards.
Despite the many benefits of Open Banking, security has remained a thorny issue. Because of security concerns, many consumers and businesses have maintained a safe distance from Open banking. The concerns are mainly perceived because consumers don’t fully understand how open banking works. A closer look at the security and safety features could help you better understand the platform.
How Does Open Banking Affect Bank Accounts in the UK?
Open banking doesn’t affect your entire banking experience. You will not notice a difference when using your current account or logging into your online bank account.
But when you use a third-party provider, you will receive a prompt for the provider to access your bank account data. You have to grant them permission before they can access the data. You can later revoke the permission if you can change your mind.
The main objective of open banking is to open up your data and allow you to do more with your bank account with the help of providers.
Who Can Access Your Information Through Open Banking?
The Financial Conduct Authority (FCA) regulates Open Banking in the UK. It’s the same body that regulates banks and other financial services firms. Only businesses regulated by the FCA can connect to customers’ bank accounts to take a payment or read financial data.
A business must receive FCA authorisation to connect with a customer’s accounts through open banking.
The FCA requires businesses to meet multiple technical and data management requirements to receive permission and authorisation. Once authorised, the business must submit regular reporting as confirmation that they are following the rules set by the FCA.
A provider can have two types of open banking access. The kind of access they get depends on their type of business:
- Account Information Service Providers (AISPs) – This type of provider has read-only access. They can fetch financial data from your bank but cannot take a payment. These are usually smart budgeting apps and other financial tools that don’t need to take or send payments.
- Payment Initiation Service Providers (PISPs) – These service providers can read information and take payments on behalf of the customer.
If a business is not regulated or authorised but wants to integrate open banking into its product, it can partner with a regulated third-party provider like Pay iO.
Businesses that meet regulatory requirements and are authorised by the FCA still need explicit consent from the customer to read data or initiate payments. This way, the customer controls:
- The information you want to share
- Which providers do you want to share the information with
- How long do you want the provider to have access to their
Although you might share some of your financial information, you never share your online banking password or login details with a third party.
Also, with open banking, the customer must give explicit consent to the third-party provider for each payment, and the payment must go through a Strong Customer Authentication (SCA).
What Information Can a Third Party Access?
Open banking regulations allow customers to determine the information providers can see and whether or not they can take a payment. Customers can also limit access levels anytime or revoke permissions if they want to.
The type of information a provider can read depends on the service they offer. AISPs can only read specific information for the account to the customer has granted access. The information they can see includes:
- Payment account information includes the account holder’s name, the account number and IBAN.
- Credit card details like the card network, the card’s last four digits, and the card’s name.
- Balances, including current and available balances
- Transactions, including merchant name, amount and description
- Regular payments, standing orders, and direct debits
The exact information the provider can access varies by bank. You can get in touch with your bank to determine the information the bank will allow the provider to access.
On average, customer consent lasts 90 days before expiry. However, the UK is changing the rules to allow customers to reconfirm consent after 90 days.
How Do You Know if a Third-party is Authorised to Access Your Information?
Before consenting to share financial data with third-party providers, you should check if they are authorised to access your information by the FCA. The FCA keeps a register of approved providers. The register is available online. You can check it at any time on the FCA website.
You can search the website using the company name or by reference number. You can also check what permissions the provider has from the FCA. You can also view a switchboard number if you want to confirm you’re dealing with the right company.
How Safe is Consumer Data Through Open Banking?
Now, to address the elephant in the room, how safe is customer data through open banking? The short answer is consumer data is very safe through open banking.
Open banking providers access customer data through Application Programming Interfaces (APIs). They’re a tried and proven technology used in the wider digital economy. APIs are designed to provide secure connections between customer accounts and TPPs.
APIs are different from legacy methods like screen scraping. You never have to share any credentials. You only need to grant access to your account by authenticating directly with your bank through a secure API.
Also, Open Banking has several safeguards in place that protects your data. These safeguards include;
- Data control – Open banking follows data privacy requirements and expectations. It allows for clear access controls for data holders and the user. TPPs can’t access your data without your express consent. That’s the first layer of security.
- Secure data access and transmission – After consenting, there’s a second layer of safety and security that covers the access and transmission of data. This is where secure APIs with proven technology and safety features come in. One of the commonly used security features at this level is data encryption.
- Data minimisation – Open banking puts you in control of the data. You can choose how much or how little data you want to share or opt not to share any data at all.
For the avoidance of doubt, PSD2 regulations place the responsibility of meeting all privacy and data protection laws on open banking providers. The TPPs must comply with all the security regulations relevant to their operations. Regional regulators regularly run checks and audits to ensure the providers follow the rules.
How Safe are open Banking Payments?
Customers hoping to use open banking for payment initiation might be worried about the safety of their payments. Although the payments handled through open banking are not considered deposits and, therefore, not protected under the FSCS, the payments are still safe.
Open banking payments have four characteristics that make them extremely safe:
-
Strong Customer Authentication
Every payment uses a strong SCA. Before customers can make payments using open banking, they are sent back to their bank app for strong authentication, usually using biometrics. The bank confirms who they are and is authorised to make the payment.
-
No sensitive details are shared
During an open banking payment, your sensitive details are not shared with the merchant, unlike card payments. There’s nothing that could facilitate unauthorised payments that are shared. Open banking only communicates with your bank to pass on payment instructions in the background using a secure channel (the API).
-
Payment instructions are pre-populated
Customers using open banking for payment don’t need to enter the business details they are paying. The open banking provider has the details already entered and controls where the money goes. This reduces the chances of human error and customers being tricked into sending money to the wrong recipient.
-
Open bank providers must complete due diligence with merchants
Open bank providers enter into a commercial contract with merchants and businesses when they decide to take payments for them. They are legally obligated to undertake due diligence on the business as part of that contract. This reduces the chances of bad merchants using open banking to commit fraud.
Also, open banking payments are set up to ensure the provider has a relationship with consumers and obligations towards them. For instance, the provider has to respond to complaints or any payment issues the consumer raises.
Does Open Banking Offer other Consumer Protections?
Although no online purchases are 100% risk-free, open banking is safe by design. If anything goes wrong, are you protected in any way? If yes, by whom?
There are protections for customers in open banking. Some of the protections include the following;
- The UK provides strong legal protections for customers using open banking payments through Payment Services Regulations. For example, the provider can be instructed to pay if your money is taken without your authorisation, or the payment doesn’t get to the recipient.
- Open banking providers must have a complaints procedure in place. If customers are unhappy with how the payment is handled, they have an avenue to air their grievances. If the customer is not happy with how the complaint is handled, they can escalate the case to the Ombudsman for resolution and possible award compensation.
- Also, there are legal protections for customers under the Consumer Rights Act 2015 (Buyer Protection) should something go wrong with the purchase.
Open banking protection covers more than just the customer. Businesses are also protected against chargeback fraud. Unlike credit cards, there’s no mechanism for chargeback in open banking because it doesn’t suffer the same vulnerabilities as cards. With no chargebacks, businesses don’t run the risk of chargeback fraud.
Open banking has a strong regulatory foundation with robust security features. It’s a safe way to share financial data and make payments.
Can You Opt Out of Open Banking?
Customers can limit access to the provider at any time. They can even revoke permissions entirely. For account information services, the customer’s consent lasts for 90 days, after which it expires. If the customer consents to an open banking payment, the consent only applies to that payment. You have to consent again for another payment.
Is Open Banking Safe?
So, is open banking safe? The platform is designed to offer high levels of security and protection for customers, TPPs and banks against fraud and scams.
The FCA has an updated list of all providers where you can confirm if the provider you’re dealing with is authorised to access your financial data, and you never have to share your login details with a third party.
If you’re not comfortable, you can withdraw permissions at any time. All matters considered, open banking is safe and secure. It offers advanced security and safety features to fight fraud and protect data from unauthorised access while enhancing accessibility and technology penetration in the finance sector.
