What is open banking?
Wouldn’t it be handy to log into one website, or open one app on your phone, and see all of your accounts - all of your current accounts, credit cards and savings - in one place?
Thanks to an initiative called ‘open banking', that is now possible.
Developers of mobile and web applications are now able to ‘plug in’ to your current account data in a secure and standardised way, if you give them permission to do so.
On January 2018, the Competition and Markets Authority (CMA) forced the nine largest UK current account providers (Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group, Santander) to open up their data.
Here we explain the benefits of open banking, how to make the most of it, and how to keep your data safe.
Open banking and PSD2
Open banking compliments a set of rules introduced across the European Union - under the second Payment Services Directive (PSD2) - that require banks, building societies and other financial providers to let customers easily and securely share their financial data, including transaction history and spending behaviour with other banks and regulated third-party providers.
PSD2 covers all payments accounts, including current accounts, flexible savings accounts, e-money accounts and credit cards, assuming you can manage all of these products online or via a smartphone app.
- Find out more: open banking budgeting apps
How can banks share my current account data through open banking?
Banks can share customer data by publishing what’s known as ‘open APIs’ or application programming interfaces.
This technology is already used by many well-known companies to provide integrated digital services.
For example, Uber overlaps with Google Maps so that customers can request a ride without having to switch to the Uber app, while travel app Citymapper connects to Transport for London data.
What are the benefits of open banking?
The aim is to encourage innovation and improve competition - by making it easier for you to pay companies directly and manage multiple financial products.
- HMRC has partnered with Ecospend to let taxpayers pay their bills directly from their bank account using open banking technology.
- Barclays added an open banking feature to its mobile banking app in September 2018, enabling customers to securely view the balances and transactions of other current accounts they hold when they log into their Barclays app.
- Money Dashboard and other budgeting apps let you bring all of your financial accounts together in one app and offer tools and spending analysis to help you manage your money.
- Newcastle Building Society announced it will trial 'multi-bank transaction terminals' at two branches enabling customers to access accounts with other banks using the open banking network.
Ultimately, open banking could allow you to manage all of your financial accounts and household bills through a single digital platform, with the option of allowing apps to ‘plug in’ and offer more personalised and intuitive services.
An app might help you avoid charges or boost your savings by automatically moving money between various accounts. Open banking could also spur action in other markets, by encouraging you to look at your energy or phone bills.
Open banking vs screen-scraping
APIs aren't the only way to share your banking data with personal finance apps such as Chip (which automatically diverts spare cash to a savings account based on your spending habits) and Bud or Moneyhub (which let you view all of your accounts, cards, loans and investments in one place).
Money apps may also ask you to hand over your bank login details and give them permission to collect or ‘screen-scrape’ the data. Essentially, they pose as you, the customer, which can expose you to fraud.
One key benefit of open banking APIs is that you can authorise third-party access without having to reveal your login details to anyone other than your bank.
Sharing data via APIs is also more secure than screen-scraping because you know exactly what information is being shared and can more easily revoke access.
Screen-scraping is being phased out but some third party apps and websites still rely on this method of accessing your data.
For example, at launch, HSBC's Connected Money used screen-scraping to access all data other than its own, despite being pitched as an 'open banking app' in many publications.
Barclays and Lloyds Banking Group have launched similar apps, however, these exclusively use open banking APIs - which is why you can only view current accounts from specific providers.
If you do decide to use a third-party app that uses screen-scrapers instead of APIs, it's important that you trust them to have access to your accounts.
What is the future of open banking?
The big banks wouldn't let you share your data if they weren't being forced to, but some (publically at least) have embraced these changes.
The big high-street banks will be keeping a close eye on tech giants such as Google, Facebook, Apple and Amazon, all of which have the status to transform the payments and banking industry using banking customer data.
In the future, it could be the tech firms that manage every aspect of your finances, and banks could be relegated to holding your salary and nothing else.
That said, it’s still too early to say whether many consumers will take advantage of open banking. It’s worth remembering that Midata - the government’s previous attempt to encourage switching by opening up banking data - failed to have any meaningful impact.
Banks need to fix accessibility data
Banks are required to publish data about their branches via these APIs - including whether their ATMs are wheelchair accessible, or branches have induction loops for the hard-of-hearing.
However, when Which? looked at the public data supplied by the nine largest UK banks in July 2021, we found that most have published unreliable information about accessibility.
As banks use this API data to feed into their mobile apps or websites, they risk giving customers false information.
A CMA spokesperson said: ‘We take suggestions of banks not meeting their open banking obligations to provide data on ATMs’ accessibility very seriously, and will coordinate with the Open Banking Implementation Entity (OBIE) about this.’
How do I use open banking?
Once you've given consent to a third party using open banking, you'll be redirected to your online banking login page where you’ll enter your security details directly - crucially, these details won’t be shared with the third party when you do this.
Watch the video below to see an example of adding an account to an app that uses open banking APIs (in this case, Yolt).
You should see a list of any firms you've given consent to via online banking, and you can stop sharing data at any time.
Do I have to share my banking data?
No, if you don’t want to share your data, you don’t have to. Third-party providers will need your explicit permission before they access your data through open APIs.
That means you don’t have to opt-out - if you do nothing, your data will not be shared without your consent.
How do I check a firm is authorised to offer open banking services?
The OBIE or Open Banking Implementation Entity (which has been set up by the CMA to deliver open banking) told Which? that banks and third-party providers can only ‘talk’ to each other via the 'Open Banking Directory'.
This is the IT platform which makes it possible for them to exchange information securely via open APIs. To be enrolled on the directory, banks and providers must be appropriately regulated.
There is an online directory of firms enrolled in open banking, all of which are regulated. It's worth noting that banks may explicitly state in their terms and conditions that you are responsible for checking that any third-party provider you want to use is authorised, not the bank.
The OBIE then launched the Open Banking App Store in June 2020 to make it easier to search for financial products using the open banking system.
The Financial Services Register will also tell you if a third-party provider is registered and authorised to carry out one or both of these two activities:
- Account information sharing services such as budgeting apps and price comparison sites that let you view accounts from multiple providers in one place.
- Payment initiation services that allow you to instruct payments to be made directly out of your bank account, as an alternative to using a third party such as a Visa debit card or PayPal.
How do I complain about an open banking provider?
If you have a complaint about a provider, you will still have access to:
- the Financial Ombudsman Service if you have a dispute or complaint that you can’t get resolved;
- or the Financial Services Compensation Scheme if they go bust.
If you decide you no longer want a third-party provider to have access to your data, you should be able to easily revoke consent.
The nine participating banks and building societies should provide an ‘authorisation dashboard’ where you can see a list of providers with permission to access your account data. You can withdraw permissions whenever you wish to, at the press of a button.
Third-party providers are also being encouraged to offer a dashboard that lets customers easily review and revoke their consent.
Who is liable for unauthorised payments in open banking?
If you notice a payment that you didn’t authorise, you can make a claim from your bank, even if that payment has been initiated through a third-party provider.
Your bank must refund you immediately, unless they have grounds to suspect fraud or negligence. If the third-party was at fault, the bank can recover the funds from them.
However, Which? is concerned that open banking could lead to a higher number of authorised push payment (APP) scams, where fraudsters trick account holders into making a payment or transfer, often by posing as their bank or the police.
Screen-scraping and fraud
As we explained above, open banking is a better way to share your data than screen-scraping because you don't need to share your account login details directly.
Banks can't block screen-scraping, however, they could refuse to refund fraud losses if you choose to share login details with a firm that isn't authorised and regulated by the FCA (check this on the Financial Services Register) or another European regulator.
Will my open banking data be safe?
Open banking should give you greater control over your money, but it raises critical questions about data privacy, security, and financial exclusion.
Regulated firms aren’t immune from cyberattacks, as evidenced by the 2017 Equifax data breach, and bank account transactions can include highly sensitive personal data about spending habits, political affiliations, medical care, family and friends.
And with a complicated chain of providers sharing access to your data, multiple parties could be potentially liable for loss of a personal customer’s data though error, attack, or fraud.
The issue of ‘consent’ needs to be looked at carefully, so that consumers understand exactly what they are agreeing to when they share their data.
This is particularly important when apps or services combine open banking with other methods of data sharing. For example, if an app uses the open banking API to access current account data, but has to rely on screen-scraping to access data for other products such as mortgages and credit cards, it's vital that the distinction between the two is made clear.
Which? will be watching closely to make sure financial and data regulators work hard to safeguard consumers in this context, and build trust in these new services.
What should I do if my data is leaked?
The OBIE says that any regulated third-party providers you share data with is responsible for ensuring any personal data they process, store or transfer is appropriately and securely protected.
You can directly complain to the third-party provider you shared your data with in the first instance, and if they don't resolve the issue, you can lodge a complaint with the FOS. You can also lodge a complaint with the Information Commissioners Office.
- Find out more: what to do if your personal data has been exposed after a breach.