What is open banking?
Wouldn’t it be handy to log into one website, or open one app on your phone, and see all of your accounts - all of your current accounts, credit cards and savings - in one place?
Thanks to a new initiative called ‘open banking', that should be possible.
On January 2018, the Competition and Markets Authority (CMA) forced the nine largest UK current account providers (Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group, Santander) to open up their data.
This means developers of mobile and web applications are able to ‘plug in’ to your current account data in a secure and standardised way, if you give them permission to do so.
So, what’s open banking all about? In this guide, find out:
How will banks share my current account data through open banking?
Banks will be able to share customer data by publishing what’s known as ‘open APIs’ or application programming interfaces.
They were told to be ready to do this by 13 January 2018, although the CMA had to grant an extension for six of the big nine.
This technology is already used by many well-known companies to provide integrated digital services.
For example, Uber overlaps with Google Maps so that customers can request a ride without having to switch to the Uber app, while travel app Citymapper connects to Transport for London data.
Open banking compliments a new set of rules being introduced across the European Union - under the second Payment Services Directive (PSD2) - that require banks, building societies and other financial providers to let customers easily and securely share their financial data, including transaction history and spending behaviour with other banks and regulated third-party providers.
PSD2 covers all payments accounts, including current accounts, flexible savings accounts, e-money accounts and credit cards, assuming you can manage all of these products online or via a smartphone app.
What are the benefits of open banking?
The aim is to encourage innovation and improve competition, by making it easier for you to hold multiple accounts and compare or switch financial products.
For now, open banking only applies to personal and small business accounts, although it will eventually be extended to cover other online payment products, such as credit cards and e-wallets.
Ultimately, it could allow you to manage all of your financial accounts and household bills through a single digital platform, with the option of allowing apps to ‘plug in’ and offer more personalised and intuitive services.
For example, an app might help you avoid charges or boost your savings by automatically moving money between various accounts. Open banking could also spur action in other markets, by encouraging you to look at your energy or phone bills.
Open banking vs screen-scraping
APIs aren't the only way to share your banking data with personal finance apps such as Chip (which automatically diverts spare cash to a savings account based on your spending habits) and Bud or Moneyhub (which let you view all of your accounts, cards, loans and investments in one place).
Money apps may also ask you to hand over your bank login details and give them permission to collect or ‘screen-scrape’ the data. Essentially, they pose as you, the customer, which can expose you to fraud.
One key benefit of open banking APIs is that you can authorise third-party access without having to reveal your login details to anyone other than your bank.
Sharing data via APIs is also more secure than screen-scraping because you know exactly what information is being shared and can more easily revoke access.
Screen-scraping is being phased out but some third party apps and websites still rely on this method of accessing your data.
For example, at launch, HSBC's Connected Money used screen-scraping to access all data other than its own, despite being pitched as an 'open banking app' in many publications.
Barclays and Lloyds Banking Group have launched similar apps, however, these exclusively use open banking APIs - which is why you can only view current accounts from specific providers.
If you do decide to use a third-party app that uses screen-scrapers instead of APIs, it's important that you trust them to have access to your accounts.
How do I use open banking?
Once you've given consent to a third party using open banking, you'll be redirected to your online banking login page where you’ll enter your security details directly - crucially, these details won’t be shared with the third party when you do this.
Watch the video below to see an example of adding an account to an app that uses open banking APIs (in this case, Yolt).
You should see a list of any firms you've given consent to via online banking, and you can stop sharing data at any time.
Do I have to share my banking data?
No, if you don’t want to share your data, you don’t have to. Third-party providers will need your explicit permission before they access your data through open APIs.
That means you don’t have to opt-out - if you do nothing, your data will not be shared without your consent.
Will open banking be a flop, like Midata?
The big high-street banks will be keeping a close eye on tech giants such as Google, Facebook, Apple and Amazon, all of which have the status to transform the payments and banking industry once they have access to bank’s customer data.
In the future, it could be the tech firms that manage every aspect of your finances, and banks could be relegated to holding your salary and nothing else.
That said, it’s too early to say whether many consumers will take advantage of open banking, although it’s worth remembering that Midata - the government’s previous attempt to encourage switching by opening up banking data - failed to have any meaningful impact.
The big banks wouldn't let you share your data if they weren't being forced to, but a few seem less reluctant than others to (publically at least) embrace the upcoming changes.
For instance, Barclays added an open banking feature to its mobile banking app in September 2018, enabling customers to securely view the balances and transactions of other current accounts they hold when they log into their Barclays app. For now, it can only link accounts held with Lloyds, Halifax, Bank of Scotland, RBS, NatWest, Nationwide or Santander.
How do I check a firm is authorised to offer open banking services?
The OBIE or Open Banking Implementation Entity (which has been set up by the CMA to deliver open banking) told Which? that banks and third-party providers can only ‘talk’ to each other via the 'Open Banking Directory' - the IT platform which makes it possible for them to exchange information securely via open APIs - and to be enrolled on the directory, they must be appropriately regulated.
There is now a list of firms enrolled in open banking, all of which are regulated. It's worth noting that banks may explicitly state in their terms and conditions that you are responsible for checking that any third-party provider you want to use is authorised, not the bank.
You can also use the Financial Services Register to see if a third-party provider is registered and authorised to carry out one or both of these two activities:
- Account information sharing services such as budgeting apps and price comparison sites that let you view accounts from multiple providers in one place.
- Payment initiation services that allow you to instruct payments to be made directly out of your bank account, as an alternative to using a third party such as a Visa debit card or PayPal.
And, if you have a complaint about a provider, you will still have access to:
- the Financial Ombudsman Service if you have a dispute or complaint that you can’t get resolved;
- or the Financial Services Compensation Scheme if they go bust.
If you decide you no longer want a third-party provider to have access to your data, you should be able to easily revoke consent.
The nine participating banks and building societies should provide an ‘authorisation dashboard’ where you can see a list of providers with permission to access your account data. You can withdraw permissions whenever you wish to, at the press of a button.
Third-party providers are also being encouraged to offer a dashboard that lets customers easily review and revoke their consent.
Who is liable for unauthorised payments in open banking?
If you notice a payment that you didn’t authorise, you can make a claim from your bank, even if that payment has been initiated through a third-party provider.
Your bank must refund you immediately, unless they have grounds to suspect fraud or negligence. If the third-party was at fault, the bank can recover the funds from them.
However, Which? is concerned that open banking could lead to a higher number of authorised push payment (APP) scams, where fraudsters trick account holders into making a payment or transfer, often by posing as their bank or the police.
Our super-complaint on bank-transfer scams has called on the Payment Systems Regulator to ensure banks better protect customers who are tricked into sending money to a fraudster.
Screen-scraping and fraud
As we explained above, open banking is a better way to share your data than screen-scraping because you don't need to share your account login details directly.
Banks can't block screen-scraping, however, they could refuse to refund fraud losses if you choose to share login details with a firm that isn't authorised and regulated by the FCA (check this on the Financial Services Register) or another European regulator.
What are the security risks to open banking?
Open banking should give you greater control over your money, but it raises critical questions about data privacy, security, and financial exclusion.
Even regulated firms aren’t immune from cyberattacks, as evidenced by the recent Equifax data breach, and bank account transactions can include highly sensitive personal data about spending habits, political affiliations, medical care, family and friends.
The OBIE says: ‘The regulated third-party provider the consumer has given their consent to for sharing their data with, is responsible for ensuring any personal data they process, store or transfer is appropriately and securely protected.
‘The consumer can directly complain to the third-party provider in the first instance, and should this not resolve the issue, they can lodge a complaint with the FOS. They can also lodge a complaint with the Information Commissioners Office.’
But, with a complicated chain of providers sharing access to your data, multiple parties could be potentially liable for loss of a personal customer’s data though error, attack, or fraud.
The issue of ‘consent’ needs to be looked at carefully, so that consumers understand exactly what they are agreeing to when they share their data.
This is particularly important when apps or services combine open banking with other methods of data sharing.
For example, if an app uses the open banking API to access current account data, but has to rely on screen-scraping to access data for other products such as mortgages and credit cards, it's vital that the distinction between the two is made clear.
Which? will be watching closely to make sure financial and data regulators work hard to safeguard consumers in this context, and build trust in these new services.
Open banking for small businesses
Small businesses (SMEs) are also set to benefit from open banking, and we have a good idea of what this might look like thanks to an initiative called the ‘Open Up Challenge’.
Launched in February 2017 by UK charity Nesta, and backed by the CMA, this called on fintechs and start-ups to propose apps and services for small businesses.
The 20 successful entrants received a £50,000 up-front development grant and were given access to a ‘Data Sandbox’, containing anonymised UK banking transaction datasets and open APIs, to help develop their products in line with the new standards for open banking.
Ten winners were announced in December 2017, earning £100,000 for developing products deemed most likely to have a positive impact on UK small businesses, including: account aggregation app Bud; freelancer current account provider Coconut; alternative lender iwoca;
The competition regulator asked the eight largest SME banking providers to provide the funding for this challenge (Allied Irish Bank, Bank of Ireland UK, Barclays, Danske, HSBC, Lloyds Banking Group, RBS Group, Santander).