Keep your money and identity safe after Open Banking

In a little over three months’ time, banks and building societies will start to provide access to your financial data in a bid to make it easier for you to manage your money.

Rules originating in Brussels, known as the Payment Services Directive II (PSD2), together with a British version referred to as Open Banking, hit in mid-January and will see the biggest banks and building societies across Europe forced to provide standard open access to all their customer data to regulated third parties.

Eventually this should mean that customers will be able to pull all of their financial accounts into one app through which they can easily switch to the best value deals on offer for savings, current accounts, loans, mortgages and even potentially energy bills.

Customers remain concerned and confused by the implications of open banking

But in spite of the many advantages, customers remain concerned and confused by the implications of open banking.

A recent survey of 2,000 people by consultancy firm Accenture suggested roughly seven in ten people do not want to share their personal financial data with third-party providers.  

The good news is, if you don’t want to, you don’t have to. 

But there are strong arguments for sharing your data if you do it safely.

We explain how this will really work, how to protect yourself and your money and what the real threats will be after open banking becomes a reality.

How will my data be shared? 

Open banking will force banks and other providers to make a standard set of ‘APIs’ available to regulated third parties.

What is open banking?

The UK Competition and Markets Authority is pushing through legislation to force UK banks and building societies to embrace open banking from 13 January 2018.

This coincides with the European Payment Services Directive II (PSD2), another set of rules coming out of Brussels.

Both are designed to force banks and building societies (and perhaps later insurance companies and investment houses) to provide better service by making it compulsory for them to open up their proprietary data and put it back in the hands of their customers.

In theory, the rules should mean that over time we are able to open one app on our phones or log in to one platform online and see every financial account we have in one place.

More than this, we should be able to transact within this app, purchasing from or switching between different providers.

API stands for application programming interface. This is basically a set of codes that allow different and separate technology platforms to talk to each other.

This means that, for example, American Express could ‘talk’ to Santander, meaning they’ll be able to see whether you qualify for an Amex card based on your income and outgoings in your Santander current account.

In order to have access to these APIs, companies must be regulated by the Financial Conduct Authority – so your data isn’t available to just anyone. Data will also be encrypted and protected.

And, you’ll have to give your permission to share it. If you don’t want your provider to share your data with third parties, it will remain locked away in just the same way as it is currently.

How do I opt out?

In fact, you don’t need to opt out. In order for any third party to have access to your data, you will have to opt IN. 

The way you do this will be by using an app that allows you to drag in accounts from multiple providers. 

Giving the app access to your account is the trigger for your data to be shared by the provider with the app you’re using.

For example, say you are an HSBC customer using the HSBC beta app which is currently being piloted, if you download it only your HSBC accounts will initially be visible – just like in your existing mobile banking app.

The new HSBC app allows you to pull in your other accounts from other banks, but to do this, you have to log in using your online banking details from that bank.

By logging in to your Barclays current account through the HSBC app, you’re consenting to Barclays sharing your data with HSBC. 

Should I ever share login information? 

This poses some serious security issues as it relies on you giving HSBC your login details to Barclays.

This is exactly what NatWest has just warned its customers NOT to do. It’s likely that other banks will follow.

This is because if you share your personal login information, you’re effectively giving up your right to protection.

If a fraudster took money from your NatWest account after you’d shared your login with HSBC, neither bank would take responsibility for reimbursing you.

Is there a safe way to take advantage of open banking?

Right now, that’s a matter of opinion. But in the future, there will be safer ways than exist at the moment.

The security of sharing data relates to how apps gain your consent to access your data. There are a number of ways to do this.

The app can ask you to log in to your other accounts using your personal details and can then access the data held in those accounts through the API connection.

Or, they can use two factor authentication, which identifies users through a combination of two different components – for example, something you know (your password) with something you have (your mobile phone, or a Pinsentry/card reader device).

 Giving third parties open access to your data sounds scary but in fact, under open banking, your data is no more or less safe than it is right now

The option recommended in the new rules is where you grant the app access to your account using a token, which can include access limitations. 

This is known as OAuth – a techy term for access delegation that is used already by millions of internet users when they opt to log in to Instagram or Uber using their
Facebook, Twitter or Google account.

When you login to Uber using Facebook, you are granting Facebook your permission to share data with Uber. This access is granted using a digital token.

With this method, it’s also possible to set time limits or access limits.

So, for example, you could grant a mortgage app temporary access to your current accounts to allow it to do a real-time assessment of your income and expenditure so it can work out automatically what mortgage you can afford.

If the mortgage app was using OAuth you wouldn’t need to give your current account password to them, keeping your money safe even if they got hacked.

You could also give them access for a limited time period – while the mortgage application is going through for example – after which the token you assigned expires and your data is locked back into your bank. 

Your data remains yours and the institutions that hold it have a responsibility to protect it

Your data remains yours and the institutions that hold it have a responsibility to protect it

If I want to opt in, how safe is my data?

Giving third parties open access to your data sounds scary but in fact, under open banking, your data is no more or less safe than it is right now.

All banks have to invest heavily in protecting their customers’ data and allowing interchange between regulated providers doesn’t automatically mean your data is any less safe. 

Open banking does not mean a massive data dump of secure information to all and sundry through the cloud. 

If you consent, shared data will be encrypted and accessible only by regulated and vetted firms.

However, all companies are open to being hacked – as the recent debacle with Equifax showed us. 

Open banking won’t increase this risk though. Your data remains yours, and the institutions that hold it have a responsibility to protect it. 

What are the advantages of opting in to open banking?  

The rules should mean that over time we are able to open one app on our phones or log in to one platform online and see every financial account we have in one place.

If you can see you’re paying 20 per cent interest on your MBNA credit card balance and earning 1.2 per cent interest on your savings with NatWest for example, this app should theoretically alert you and prompt you to switch to better rates or pay off the debt using the savings.

Similarly, if you’ve slipped off a mortgage deal on to your lender’s hefty standard variable rate and could save by remortgaging, the system ought to help you. It should be able to search all your available options from all providers, allow cross checking with your income and expenses by using your current account data and then provide you with the option to sign up to a new mortgage deal you’re already approved for.

The initiative is designed to make it easier to manage our money with less effort and better returns through technology and automation. 

Benedict Ireland, of customer experience and technology company Splendid Unlimited, explains: ‘People don’t necessarily want to “do” banking. They need to manage their finances but, for many, the less active management required the better. 

‘The greater automation open banking services will enable points to a future in which there will be less engagement between the customer and the bank providing that customer’s accounts or services.

‘For now, our banking relationship is locked to our bank but this will change. Our banking experience is already digital and, like other digital experiences, is increasingly becoming owned by our mobile operating systems. 

‘We already trust Apple iOS and Google’s Android with transaction data – just think Apple Pay, Android Pay and Google Wallet.

‘Should Apple or Google release a financial app, what’s to stop a migration similar to the migration away from Blackberry and Nokia, or Virgin Records and HMV?’ 

How can I opt in? 

There are a number of other apps that already allow you to drag in information from your accounts with different providers, including Chip, Cleo, Moneybox, Money Dashboard, OnTrees and Plum. 

Money Dashboard already allows you to see all your accounts in one place

Money Dashboard already allows you to see all your accounts in one place

These currently require you to log in through their apps to your various accounts using your password information. They then scrape your data from your account and display it in their app. 

None of them allows you to transact in your other accounts through them as yet.

It’s possible that some of them will start to. It’s also likely that price comparison websites, banks and new companies will launch open banking apps next year. 

Apple, Google, Facebook and Amazon are also well-placed to function as a platform through which you can view all of your financial information. 

And how do I opt out? 

As outlined above, to opt out of giving access to your data, simply don’t use one of these apps or any other provider that asks for your account information and access.

If you don’t use open banking your data and money will remain protected by the provider your account is with.


Anne Boden is founder and chief executive of mobile-only Starling Bank

Anne Boden is founder and chief executive of mobile-only Starling Bank

  1. Don’t assume sharing your login and password is allowed by your bank.
  2. Do check your bank’s T&Cs (which will be available online) to see whether you are allowed to share your data with third-party apps and services.
  3. Don’t reuse your password on multiple accounts (especially not email and banking logins).
  4. Do change your password regularly.
  5. Don’t overshare personal financial data with third-parties where they don’t need it.
  6. Do regularly evaluate who has access to your data and revoke it where necessary.
  7. Don’t type your banking password into a website that has not been approved by your bank.
  8. Do ask your bank whether they perform the proper security and financial checks (as specified by the regulator) on any third-parties they’re supplying access to.


Leave a Reply

Your email address will not be published. Required fields are marked *