Open banking: sharing your financial data

We explain what open banking offers, the risks and how to share your data or use Pay By Bank safely
Chiara CavaglieriSenior researcher & writer

In this article

What is open banking?

Wouldn't it be handy to log into one website, or open one app on your phone, and see all of your accounts – all of your current accounts, credit cards and savings – in one place?

Thanks to an initiative called 'open banking', that is now possible. 

Since 2018 the biggest banks have been required to open up their data, including Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC (including First Direct), Lloyds Banking Group (including Halifax and Bank of Scotland), Nationwide, NatWest Group (including RBS and Ulster Bank) and Santander.

Developers of mobile and web applications can 'plug in' to your current account data in a secure and standardised way, if you give them permission to do so.

Open banking technology is popping up at checkouts too, letting you pay directly from your bank account when shopping with big names such as Booking.com, JustEat and Ryanair

It's usually called Pay by Bank, though you may spot other names such as ‘pay with my bank account’, ‘online bank payment’ or ‘UK online bank transfer’ instead. 

Here we explain the benefits of open banking, how to make the most of it, and how to keep your data safe.

Make your money go further

Find the best deals, avoid scams, and grow your savings with our expert guidance. From only £4.99 a month, cancel anytime.

Join Which? Money

How can banks share my data through open banking?

Banks can share customer data by publishing what's known as 'open APIs' or application programming interfaces.

This technology is already used by many well-known companies to provide integrated digital services.

For example, Uber overlaps with Google Maps so that customers can request a ride without having to switch to the Uber app, while travel app Citymapper connects to Transport for London data.

What are the benefits of open banking?

The aim is to encourage innovation and improve competition, by making it easier for you to manage multiple financial products and pay companies directly from your bank account. 

For example, HMRC has partnered with Ecospend (owned by a regulated provider called Trustly) to let taxpayers pay their bills directly from their bank account using open banking technology and there are budgeting apps that let you bring all of your financial accounts together. 

If you’ve tried budgeting apps such as Emma, Plum and Snoop – which link multiple financial accounts in one dashboard – you’ve already used open banking.

Ultimately, open banking could allow you to manage all of your financial accounts and household bills through a single digital platform, with the option of allowing apps to 'plug in' and offer more personalised and intuitive services.

An app might help you avoid charges or boost your savings by automatically moving money between various accounts. Open banking could also spur action in other markets, by encouraging you to look at your energy or phone bills.

How do I use open banking to share my data?

Once you've given consent to a third party using open banking, you'll be redirected to your online or mobile banking login page where you'll enter your security details directly – crucially, these details won't be shared with the third party when you do this.

You should see a list of any firms you've given consent to via online or mobile banking, and you can stop sharing data at any time.

Do I have to share my banking data?

No, if you don't want to share your data, you don't have to. Third-party providers will need your explicit permission before they access your data through open APIs.

That means you don't have to opt-out – if you do nothing, your data will not be shared without your consent.

What is 'Pay by Bank'?

If you see 'Pay By Bank' at the checkout (it may be called something similar such as 'Pay with my bank account' or 'online bank transfer') it means you can pay that business directly from your bank account using open banking technology, instead of a card or another payment method like PayPal. 

Once you've clicked the relevant button, you select your current account provider from a dropdown menu. You'll then be redirected to your bank's app or website, where you log in as normal eg using fingerprint ID. 

You will be asked to approve or decline the payment before being sent back to the retailer, where the purchase is confirmed. At the time of writing, only Metro Bank and The Co-operative Bank were unavailable when we tried to use Pay by Bank at various retailers.

Unlike a manual bank transfer, you don’t need to add any payee details as the details will be pre-populated, which reduces the chance of making a mistake. 

Pay by Bank is used predominantly for one-off payments. However, the plan is to enable repeated payments for regular bills and subscriptions, as a transparent, flexible alternative to direct debits. These variable recurring payments are being tested with utility companies, financial services and government agencies first, before being rolled out more widely.

Do I lose any payment protections with 'Pay by Bank'?

Yes, if you use open banking to make a payment to a business directly from your bank account – instead of using a debit or credit card – you lose Section 75 and chargeback. 

Under Section 75 of the Consumer Credit Act, your credit card provider is jointly and severally liable for any breach of contract or misrepresentation by the retailer or trader. It covers primary card holders for credit card payments of £100 to £30,000. 

Chargeback applies to credit and debit card purchases of any value, though it's not enshrined in law and each scheme (run by Visa, Mastercard and Amex) has it's own rules. 

You don't have these purchase protections when using open banking because you are making a direct bank transfer, not a card payment. 

However, bank transfers to UK accounts are eligible for the new mandatory reimbursement scheme for authorised push payment (APP) fraud if you are tricked into sending money to a scammer. 

key information

How to use open banking safely in four steps

  1. Stay alert to scams, such as fake websites claiming to offer Pay by Bank to steal your login credentials or rogue apps posing as open banking services. You should always be directed to your bank’s official app or website. 
  2. Check the third-party firm is authorised to offer open banking services by searching the Open Banking Directory which provides a list of regulated firms and apps authorised at openbanking.org.uk
  3. The Financial Services Register will also tell you if a firm is authorised by the Financial Conduct Authority (FCA) to carry out account information sharing services, payment initiation services, or both. See register.fca.org.uk
  4. Revoke consent if you want to stop sharing your data or cancel a recurring payment with a regulated third party. You can do this via your bank account – look for ‘open banking’ or ‘connections’ in your bank’s app or website.

How do I check a firm is authorised to offer open banking services?

Banks and third-party providers can only 'talk' to each other via the 'Open Banking Directory'.

This is the IT platform which makes it possible for them to exchange information securely via open APIs. To be enrolled on the directory, banks and providers must be appropriately regulated.

There is an online directory of regulated firms enrolled in open banking and you can search for financial products using the open banking system at the official Open Banking App Store. It's worth noting that banks may explicitly state in their terms and conditions that you are responsible for checking that any third-party provider you want to use is authorised, not the bank.

The Financial Services Register will also tell you if a third-party provider is registered and authorised to carry out one or both of these two activities:

  • Account information sharing services such as budgeting apps and price comparison sites that let you view accounts from multiple providers in one place;
  • Payment initiation services that allow you to instruct payments to be made directly out of your bank account, as an alternative to using a third party such as a Visa debit card or PayPal.

How do I complain about an open banking provider?

If you have a complaint about a provider, you will still have access to:

If you decide you no longer want a third-party provider to have access to your data, you should be able to easily revoke consent.

Participating banks and building societies should provide an 'authorisation dashboard' where you can see a list of providers with permission to access your account data. You can withdraw permissions whenever you wish to, at the press of a button.

Third-party providers are also being encouraged to offer a dashboard that lets customers easily review and revoke their consent.

Who is liable for fraud in open banking?

If you notice a payment that you didn't authorise, ask your bank to refund you, even if that payment has been initiated through a third-party provider.

Your bank must refund you immediately, unless it has grounds to suspect fraud or negligence. If the third-party was at fault, the bank can recover the funds from them.

It may be more difficult to get reimbursed by your bank if you share your data with a firm that isn't regulated, or if you fall victim to an authorised push payment (APP) scam – where fraudsters trick you into making a payment into an account under the control. 

Every fraud case should be assessed individually so take your complaint to the Financial Ombudsman Service (FOS) if your bank refuses to reimburse you. 

Will my open banking data be safe?

Regulated firms aren't immune from cyberattacks and bank account transactions can include highly sensitive personal data about spending habits, political affiliations, medical care, family and friends.

And with a complicated chain of providers sharing access to your data, multiple parties could be potentially liable for loss of a personal customer's data though error, attack, or fraud.

The issue of 'consent' needs to be looked at carefully, so that consumers understand exactly what they are agreeing to when they share their data.

This is particularly important when apps or services combine open banking with other methods of data sharing. For example, if an app uses the open banking API to access current account data, but has to rely on screen-scraping to access data for other products such as mortgages and credit cards, it's vital that the distinction between the two is made clear.

Which? will be watching closely to make sure financial and data regulators work hard to safeguard consumers in this context, and build trust in these new services.

What should I do if my data is leaked?

Any regulated third-party providers you share data with is responsible for ensuring any personal data they process, store or transfer is appropriately and securely protected.

You can directly complain to the third-party provider you shared your data with in the first instance, and if they don't resolve the issue, you can lodge a complaint with the Financial Ombudsman Service. You can also lodge a complaint with the Information Commissioners Office.

What is the future of open banking?

The big banks wouldn't let you share your data if they weren't being forced to, but some (publicly at least) have embraced these changes.

That said, it's still too early to say whether many consumers will take advantage of open banking. It's worth remembering that Midata – the government's previous attempt to encourage switching by opening up banking data – failed to have any meaningful impact.

Next steps include bringing in mortgages, savings, pensions and investments, not just banking data (referred to as 'open finance'). Ultimately, open banking could expand across sectors such as energy, retail telecoms and transport (the ‘smart data economy').

The industry will be keeping a close eye on tech giants such as Google, Facebook, Apple and Amazon, all of which have the status to transform the payments and banking industry using banking customer data. In the future, it could be that tech firms that manage every aspect of your finances, and banks could be relegated to holding your salary and nothing else.

Such a complicated chain of providers potentially sharing access to sensitive data means the data and financial regulators face a difficult task to ensure consumers and businesses are safe from scammers, mistakes and data breaches.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.