Is open banking safe?
If you’re considering integrating open banking into your app or website, you’ll want to know how safe it is.
Whether you’re using it to take payments or to access your customers’ financial data to power personalised services, open banking provides key security features that protect consumers and businesses.
But to understand how safe open banking is, you first need to understand how it works.
What is open banking?
Open banking started with the Second Payments Service Directive (PSD2). Under this regulation, policymakers in the UK and EU made a commitment to give consumers and businesses more control over their finances by unlocking payment accounts via trusted third party providers (TPPs).
Open banking enables consumers to access their financial data so they can make use of it through trusted providers — for example, so they can easily verify their identity, access smart budgeting apps or account aggregation services.
Open banking has also created a new, secure way for businesses to take payments online, which is safer and less costly than incumbent methods like cards.
Security has been a priority for open banking from the beginning. Because of this, businesses and consumers who use it benefit from important security features, which we’ll cover in this article.
Who can access customers’ financial data through open banking?
Only businesses that are regulated can connect to customers’ bank accounts to read financial data or take a payment.
In the UK, open banking is regulated by the Financial Conduct Authority (FCA), which also regulates banks and other financial services firms. Businesses that want to connect to customers accounts via open banking must receive FCA authorisation, meaning they have explicit permission from the regulator and meet multiple technical and data management requirements. They must also submit regular reporting to confirm they’re following the rules.
There are two different types of open banking ‘access’ that a provider can have. Account information service providers (AISPs) have ‘read-only’ access, meaning they can fetch financial information but not take a payment. Payment initiation service providers (PISPs) can take a payment on behalf of a customer.
Businesses who are not regulated can integrate open banking into their products and services by partnering with a regulated third party provider like TrueLayer. To find out more, read our guide to open banking regulation in the UK.
Even if your business has regulatory permission to use open banking, you can only do so if your customer gives explicit consent.
In this way, customers control:
what information they share
which providers they share it with
for how long those providers have access.
Plus, customers never need to share their online banking password or login details with a third party.
When it comes to open banking payments, customers must give explicit consent to the TPP for each payment and every payment must go through strong customer authentication.
What information can third parties see?
Customers determine what information their providers can see and whether or not they may take a payment. They can limit levels of access at any time and they can revoke permissions entirely if they so choose.
When it comes to account information services (read-only access), if a customer consents, a third party will be able to read the following only for the specific payment account that the customer has granted access to:
Payment account: account holder name, account number, IBAN
Credit card: card network, last four digits, name on card
Transactions: description, amount, category, merchant name
Balances: current, available
Regular payments: standing orders and direct debits
Exact information that a provider may access varies by bank. For more information on this, talk to your open banking provider.
Customer consent lasts only for 90 days before it expires. In the UK, the rules are changing to allow customers to simply reconfirm consent after 90 days.
If a customer has consented to an open banking payment, that does not by itself allow the third party to read financial information. To do that, the customer must also consent to account information services.
How safe is customer data through open banking?
The short answer is very safe. Open banking providers access customer data through technology called application programming interfaces (APIs). They’re a proven technology used in the broader digital economy, designed to provide a secure connection between TPPs and customers’ accounts.
Unlike with legacy methods like screen scraping, consumers never have to share any credentials with open banking. They simply grant access to their accounts by authenticating directly with their bank through secure APIs.
Open banking ensures:
Control of data: open banking technology allows for clear access controls for both user and data holders, in line with data privacy requirements and expectations.
Secure data access and transmission: open banking and APIs are a secure and proven technology.
Data minimisation: open banking puts the user in control of their data. Users can choose how much or how little of their data is shared
Under PSD2, open banking providers are responsible for meeting all privacy and data protection laws wherever they offer services. They must also comply with relevant security regulations, with regional regulators providing audits and checks at regular intervals.
Can customers opt out of open banking?
Customers can limit levels of access at any time and can even revoke permissions entirely.
In the case of account information services, customer consent lasts for 90 days before it expires. In the UK, the rules are changing to allow customers to simply reconfirm consent after 90 days.
If a customer has consented to an open banking payment, that consent applies only for that one payment.
Variable recurring payments are being developed in the UK which will enable a customer to give consent for future payments to be taken under specific conditions.
How safe are open banking payments?
Open banking payments have four characteristics which make them inherently safe:
Every payment uses strong customer authentication (SCA)
When a customer makes a payment using open banking, they are always sent to their bank’s app to strongly authenticate, usually with biometrics. This means their bank checks that they are who they say they are by checking a combination of: possession, inherence and/or knowledge.
No sensitive details are shared
Unlike with card payments, no sensitive details are shared with the merchant during an open banking payment — there is nothing to intercept, steal or leak that could lead to unauthorised payments.
Instead, open banking providers securely communicate with the customer’s bank to pass on payment instructions in the background and initiate the payment.
Payment instructions are pre-populated
When a customer chooses to pay a business using open banking, they don’t need to enter the payee details. Instead the open banking provider pre-populates the details and controls where the money goes. This removes human error and the risk of customers being tricked into sending the money to a fraudster.
Open banking providers onboard and carry out due diligence with merchants
When an open banking provider enables payments for a merchant or other business, they enter into a commercial contract with that business and undertake due diligence on the business as part of that. This reduces the likelihood that bad actor merchants would use open banking to commit fraud.
Open banking payments are also set up in a way that ensures the provider has a relationship with the consumer and obligations towards them, such as responding to any complaints or payment issues that are raised.
Does open banking offer other consumer protections?
Open banking payments are safe by design, but no online purchase is 100% risk-free. In the event that something does go wrong with a payment, are customers protected?
The short answer is yes. Here are some of the protections that apply:
The Payment Services Regulations in the UK provide strong legal protections for customers using open banking payments — for example, if their money is taken without their authorisation or if the payment does not reach the recipient they instructed the provider to pay.
Open banking providers must have complaints procedures in place in case a customer is not happy with how their payment has been handled. If the customer is not satisfied with how the complaint is handled, they have the right to escalate the case to the Ombudsman, who can award compensation.
When something goes wrong with a purchase aka ‘buyer protection’, customers have legal protections under the Consumer Rights Act 2015.
As a business, you are also protected against chargeback fraud. It’s estimated that up to 86% of chargebacks could be fraudulent — either intentional or unintentional. Unlike with card payments, there is no ‘chargeback’ mechanism for open banking payments since they don’t suffer from the same vulnerabilities as cards. With no chargebacks, there can be no chargeback fraud.
With its strong regulatory foundations and established security features, open banking is one of the safest ways to pay and share financial data. And it has plenty of other advantages for merchants and consumers alike.
Find out how open banking is fighting the UK’s £1 billion fraud problem