Open banking and Pay by Bank: sharing your financial data safely

We explain what open banking offers, the risks and how you can use it to share your data or make payments directly from your bank account
Chiara CavaglieriSenior researcher & writer

Chiara is an award-winning investigative reporter who specialises in banking and fraud, joining Which? in 2015 following six years as a personal finance journalist at a national newspaper.  

In this article

What is open banking?

Open banking lets trusted companies 'plug in' to your current account data in a secure and standardised way, if you give them permission to do so.

If you’ve tried budgeting apps such as Emma, Plum and Snoop – which link multiple financial accounts in one dashboard – you’ve already used open banking. 

Open banking technology is popping up at checkouts too, letting you pay directly from your bank account when shopping with big names such as Booking.com, JustEat and Ryanair. 

It's usually called Pay by Bank, though you may spot other names such as ‘pay with my bank account’, ‘online bank payment’ or ‘UK online bank transfer’ instead. 

Here we explain the benefits of open banking, how to make the most of it, and how to keep your data safe.

Make your money work harder

Get the best deals, avoid scams, and grow your savings with expert guidance. Save 25% now, only £36.75 for a year.

Join Which? Money

Offer ends 30 September 2025

Use open banking safely in four steps

  1. Stay alert to scams, such as fake websites claiming to offer Pay by Bank to steal your login credentials or rogue apps posing as open banking services. You should always be directed to your bank’s official app or website. 
  2. Check the third-party firm is authorised to offer open banking services by searching the Open Banking Directory which provides a list of regulated firms and apps authorised at openbanking.org.uk
  3. The Financial Services Register will also tell you if a firm is authorised by the Financial Conduct Authority (FCA) to carry out account information sharing services, payment initiation services, or both. See register.fca.org.uk
  4. Revoke consent if you want to stop sharing your data or cancel a recurring payment with a regulated third party. You can do this via your bank account – look for ‘open banking’ or ‘connections’ in your bank’s app or website.

How does open banking work?

Since 2018 the biggest banks have been required to open up their data: Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC (and subsidiary First Direct), Lloyds Banking Group (including Halifax and Bank of Scotland), Nationwide, NatWest Group (including RBS and Ulster Bank) and Santander.

Banks share customer data by publishing what's known as 'open APIs' or application programming interfaces.

This technology is already used by many well-known companies to provide integrated digital services.

For example, Uber overlaps with Google Maps so that customers can request a ride without having to switch to the Uber app, while travel app Citymapper connects to Transport for London data.

What are the benefits of open banking?

The aim is to encourage innovation and improve competition, by making it easier for you to manage multiple financial products and pay companies directly from your bank account. 

For example, HMRC has partnered with Ecospend (owned by a regulated provider called Trustly) to let taxpayers pay their bills directly from their bank account using open banking technology and there are budgeting apps that let you bring all of your financial accounts together. 

Ultimately, open banking could allow you to manage all of your financial accounts and household bills through a single digital platform, with the option of allowing apps to 'plug in' and offer more personalised and intuitive services.

An app might help you avoid charges or boost your savings by automatically moving money between various accounts. Open banking could also spur action in other markets, by encouraging you to look at your energy or phone bills.

How to check an open banking firm is authorised

Banks and third-party providers can only 'talk' to each other via the 'Open Banking Directory'.

This is the IT platform which makes it possible for them to exchange information securely via open APIs. To be enrolled on the directory, banks and providers must be appropriately regulated.

There is an online directory of regulated firms enrolled in open banking and you can search for financial products using the open banking system at the official Open Banking App Store. It's worth noting that banks may explicitly state in their terms and conditions that you are responsible for checking that any third-party provider you want to use is authorised, not the bank.

The Financial Services Register will also tell you if a third-party provider is registered and authorised to carry out one or both of these two activities:

  • Account information sharing services such as budgeting apps and price comparison sites that let you view accounts from multiple providers in one place;
  • Payment initiation services that allow you to instruct payments to be made directly out of your bank account, as an alternative to using a third party such as a Visa debit card or PayPal.

How to share your banking data 

Once you've given consent to a regulated third party using open banking, you'll be redirected to your online or mobile banking login page where you'll enter your security details directly – crucially, these details won't be shared with the third party when you do this.

You should always understand exactly what you are agreeing to when you share your data, so don't proceed if this isn't clear.

You should see a list of any firms you've given consent to via online or mobile banking, and you can stop sharing data at any time.

Participating banks and building societies should provide an 'authorisation dashboard' where you can see a list of providers with permission to access your account data. You can withdraw permissions whenever you wish to, at the press of a button.

Third-party providers may also offer a dashboard that lets you easily review and revoke your consent.

Do I have to share my banking data?

No, if you don't want to share your data, you don't have to. Third-party providers will need your explicit permission before they access your data through open APIs.

That means you don't have to opt-out – if you do nothing, your data will not be shared without your consent.

How to use Pay by Bank 

If you see 'Pay By Bank' at the checkout (it may be called something similar such as 'pay with my bank account' or 'online bank transfer') it means you can pay that business directly from your bank account using open banking technology, instead of a card or another payment method like PayPal. 

Once you've clicked the relevant button, you select your current account provider from a dropdown menu. You'll then be redirected to your bank's app or website, where you log in as normal eg using fingerprint ID. 

You will be asked to approve or decline the payment before being sent back to the retailer, where the purchase is confirmed. At the time of writing, only Metro Bank and The Co-operative Bank were unavailable when we tried to use Pay by Bank at various retailers.

Unlike a manual bank transfer, you don’t need to add any payee details as the details will be pre-populated, which reduces the chance of making a mistake. 

Pay by Bank is used predominantly for one-off payments. However, the plan is to enable repeated payments for regular bills and subscriptions, as a transparent, flexible alternative to direct debits. These variable recurring payments are being tested with utility companies, financial services and government agencies first, before being rolled out more widely.

Do I lose payment protections with 'Pay by Bank'?

Yes, if you use open banking to make a payment to a business directly from your bank account – instead of using a debit or credit card – you lose Section 75 and chargeback.

Under Section 75 of the Consumer Credit Act, your credit card provider is jointly and severally liable for any breach of contract or misrepresentation by the retailer or trader. It covers primary card holders for credit card payments of £100 to £30,000. 

Chargeback applies to credit and debit card purchases of any value, though it's not enshrined in law and each scheme (run by Visa, Mastercard and Amex) has it's own rules. 

You don't have these purchase protections when using open banking because you are making a direct bank transfer, not a card payment.

However, bank transfers to UK accounts are eligible for the new mandatory reimbursement scheme for authorised push payment (APP) fraud if you are tricked into sending money to a scammer.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy.

Open banking and scams

Open banking is broadly a safe way to share your financial data and make payments. But, regulated firms aren't immune from cyberattacks. 

If you notice a payment that you didn't authorise, ask your bank to refund you, even if that payment has been initiated through a third-party provider.

Your bank must refund you immediately, unless it has grounds to suspect fraud or negligence. If the third-party was at fault, the bank can recover the funds from them.

It may be more difficult to get reimbursed by your bank if you share your data with a firm that isn't regulated, or if you fall victim to an authorised push payment (APP) scam – where fraudsters trick you into making a payment into an account under the control. 

Every fraud case should be assessed individually so take your complaint to the Financial Ombudsman Service (FOS) if your bank refuses to reimburse you. 

Open banking and data leaks

Any regulated third-party providers you share data with is responsible for ensuring any personal data they process, store or transfer is appropriately and securely protected.

Bank account transactions can include highly sensitive personal data about spending habits, political affiliations, medical care, family and friends.

There could also be a complicated chain of providers sharing access to your data, multiple parties could be potentially liable for loss of a personal customer's data though error, attack, or fraud. 

You should directly complain to the third-party provider you shared your data with in the first instance, and if they don't resolve the issue, you can lodge a complaint with the Financial Ombudsman Service (FOS). 

You can also lodge a complaint with the Information Commissioners Office.

The future of open banking

It's still too early to say whether open banking is a huge success. It's worth remembering that Midata – the government's previous attempt to encourage switching by opening up banking data – failed to have any meaningful impact.

Next steps include bringing in mortgages, savings, pensions and investments, not just banking data (referred to as 'open finance'). Ultimately, open banking could expand across sectors such as energy, retail telecoms and transport (the ‘smart data economy').

The industry will be keeping a close eye on tech giants such as Google, Facebook, Apple and Amazon, all of which have the status to transform the payments and banking industry using banking customer data. In the future, it could be that tech firms that manage every aspect of your finances, and banks could be relegated to holding your salary and nothing else.

Such a complicated chain of providers potentially sharing access to sensitive data means the data and financial regulators face a difficult task to ensure consumers and businesses are safe from scammers, mistakes and data breaches.

Which? will be watching closely to make sure they safeguard consumers in this context, and build trust in these services.

More on this

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home and travel insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, and travel insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


5.Stickee Technology Limited for the introduction of non-investment pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to arrange non-investment pet insurance products (FRN916665). Stickee Technology Ltd is authorised and regulated by the Financial Conduct Authority (FCA)  in England and Wales; 3rd floor, 1 Ashley Road, Altrincham, Cheshire, UK WA14 2DT Registered company number 06711740


6. Travel Insurance Facilities Plc (FRN306537), for the introduction of travel insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to arrange non-investment insurance contracts. Registered in England under company number 3220410 at Suite 12, 20 Churchill Square, Kings Hill, West Malling, Kent, ME19 4YU.

 

Other financial services:


Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.