Is open banking safe?
Tuesday 10 May 2022, 5 minute read
What is open banking?
Open banking is a general term used to describe the process of banks and other financial institutions opening up data for regulated providers to access and use. On the face of it, it can seem as though open banking may not be safe, however, it is certainly safer than it sounds and banks are effectively implementing infrastructure for the data provided so that it can easily be shared without any security risks.
Open banking is a practice by banks which provides third-party financial service providers an open access to consumer banking, transactions and other data provided by the bank through the use of an application programming interface (API).
Customers are usually required to provide consent for their bank to allow such access. The data is always ‘read-only’ but it can allow third-party companies to look at the account details, such as the transaction history.
Open banking is often used by modern financial tech start-ups in order to utilise the data to provide their service. Whether that be accounting software to automatically see your transactions, or a software platform which analyses your expenses and provides a recommended budget.
How does open banking work?
As stated, Open Banking relies entirely on the technology of application programming interfaces (APIs). An API is a structured method for one program to contact another program by allowing two pieces of software to speak to one another.
An API basically acts as an instructional network for a third party to access data such as an account holder’s name, account type, currency etc. It is up to the bank to build these APIs and implement them, and once they have done so, a business can begin accessing them and building products and services on the back of the API usage. Then, the end-users of these products are small businesses, individuals and large corporations.
How open banking is kept safe?
Like a lot of financial technology these days, there is an element of scepticism as to how safe they are for users. At its core, open banking has security in mind, and it is created and implemented by banks. This means that security is the absolute core feature in mind during open banking creation.
The end-consumer of open banking is always the decision maker in terms of who has access to their data via open banking, and therefore there should not be anyone with unauthorised access, and any access can be revoked at any time by the user.
If any fraudulent payments do get through the stringent security measures, then the bank or building society will cover the lost money under appropriate circumstances.
In addition to this, open banking products and services are fully regulated by the Financial Conduct Authority (FCA) and consumers are also protected by their relevant data protection laws as well as the Financial Ombudsman Service.
Banking has changed significantly in recent years as well with the increase of cyber security risks. There are many new regulations and legislations being implemented to make sure that the personal data of consumers is kept safe and secure. The PSD2 legislation in Europe provides enforcement of data protection and privacy in relation to APIs specifically.
Which businesses provide open banking services
Open banking itself is provided by most banks in the UK. The top 9 largest banks and building societies (known as the CMA9) are required to make their data available through open banking. These banks are:
AIB Group UK (trading as First Trust Bank in Northern Ireland)
Bank of Ireland UK
Barclays Bank
HSBC Group (including First Direct and M&S)
Lloyds Banking Group (including Bank of Scotland and Halifax)
Nationwide Building Society
NatWest Group (including NatWest, Royal Bank of Scotland and Ulster Bank NI)
Northern Bank Limited (trading as Danske Bank)
Santander UK
Beyond this, there are other banks and building societies who choose to take part in open banking, but this isn’t by requirement. These are currently:
Arbuthnot Latham & Co Limited
BFC Bank
C Hoare & Co
Clydesdale Bank
Contis
Coutts & Company
Coventry Building Society
Creation Financial Services
Cynergy Bank
Ghana International Bank
Hargreaves Lansdown Savings
ICBC (London)
Industrial and Commercial Bank of China
Investec
MBNA
Metro Bank
Mizuho Bank
NewDay
Permanent TSB
Prepay Technologies
Project Imagine
Revolut
Sainsbury’s Bank
SG Kleinwort Hambros Bank
Starling Bank
Tesco Bank
The Co-operative Bank
The Governor and Company of the Bank of Ireland
The Royal Bank of Scotland
The Royal Bank of Scotland International
Tide Platform
TSB Bank
Vanquis Bank
Virgin Money
Wirepayer
Yorkshire Building Society
This list of banks utilising open banking is only likely to grow in the near future as well. Beyond the initial banks providing the data, there are businesses popping up on an almost weekly basis which offer open banking benefits. It should be noted that only highly regulated businesses like Crezco are able to utilise the data sources provided by open banking.
Crezco can help
We process account-to-account payments for free and settle them instantly. They’re more secure than card payments and we can process higher amounts, up to £1,000,000 per transaction. Find out about how Crezco works, why we’re free, and how we can help you by getting in touch.
What is the role of the banks in open banking
The banks are the initiators of open banking, in the sense that they need to create and manage the API which allows the travel of their customer data. This also means they are the primary dictators of the level of security controls in place as well. It is essential that the banks are meeting all relevant regulatory standards in order to make sure that their customers’ data is kept safe and out of the reach of nefarious hands.
Who can access customers’ financial data through open banking?
Only regulated businesses authorised by the Financial Conduct Authority (FCA) can connect to customers’ bank accounts.
There are two types of providers that can access open banking data:
An Account Information Service Provider (AISP), offers a service that consolidates information from multiple payment accounts into a single, easily accessible online platform for customers.
A Payment Initiation Service Provider (PISP) is a type of financial institution that facilitates online payments directly from the customer's bank account.
If a customer has explicitly consented to an open banking payment, he still needs to consent to read access requests too.
Customers control:
the data to share
the providers they want to share data with
the time those providers have access to the data
Customer consent is only valid for 90 days before it expires. They only need to reconfirm their consent after this period.
The FCA and open banking
The FCA is the main legislative power in the UK, and they are using this power to steer the evolution and progress of open banking into a broader model of open finance. All related open banking products and services are regulated by the FCA, which means that if any potential weaknesses emerge, then the FCA is there to tighten controls to make sure they do not happen.
If you are wishing to start a business as a provider of open banking based services, then getting officially regulated by the FCA is an essential part of the process in which you will need to obtain ‘regulatory status’. In order to make the process of becoming a provider easier, there is an open banking sandbox which allows for testing of your systems. Open banking is fully regulated by the FCA, which means that apps/services cannot be utilised until they have obtained a regulatory status with the FCA. Therefore, consumers can rest assured knowing that any services they sign up to will be safe to approve for data access.
The FCA are large advocates of open banking and believe the general open finance landscape could offer significant benefits to consumers through improved advice and access to a wider array of financial products. Because of this advocacy, it is certainly in their best interests to make sure that open banking continues to be safe for all consumers.
Who is liable for unauthorised payments
The bank itself remains liable for any authorised payments made on a user’s account. In the case of unauthorised transactions, the bank must refund the amount of the unauthorised payment transaction to the customer and restore the customer's account to the state it would have been in had the unauthorised payment not taken place.
How to stay safe with open banking
You should always be aware of potential fraud with open banking (and anything in general relating to your personal details). There are many techniques which fraudsters may use in order to gain access to your bank account. As some basic ways to stay safe when using open banking, follow these rules:
Always check that the third-party you are sharing your data with is FCA authorised and approved. This means that they are regulated by the FCA, who check that the business is working to a high financial security standard. You can do this by searching for their company in the FCA register. In theory there should be no company with open banking access who is not FCA authorised.
When you transfer your data using an open banking API, you should always be redirected to the website of your bank to log in to your online banking. Make sure you take your time in confirming that the redirected website is legitimate.
Learn more: Is Crezco safe?