Frequently Asked Questions
Do I have to share my bank account details with a PISP?
The rules say that banks have to allow your info to be shared, but ONLY if you expressly give permission to the new provider – No PISP can look into your account without your consent.
Each provider will have to ask for your consent to access your info when you sign up to it. It’ll then send a request to your bank, which will process it and share your details. You can also withdraw your permission at any time.
If you just want to stay banking the way you do now, you absolutely can and no one’s going to force you to change. So if you’re not comfortable sharing your account data with anyone else – or don’t want to use any of these new companies – you don’t have to.
What bank accounts does this apply to?
You’ll be able to share your data for any ‘payment account’ you hold. This includes current accounts, credit cards, prepaid cards and some savings, though the initial roll-out of Open Banking is just for current accounts.
The rules only apply to accounts which can be accessed online, and you’ll need to connect your online banking with the third party so it can get your data.
Who can I share my data with?
You should only share your data with authorized third parties regulated by the Financial Conduct Authority (FCA) or another European regulator, and will appear on the FCA’s Register, and the Open Banking Directory.
Providers authorised under Open Banking will offer two types of services, and need to have different authorisations for each of the following:
1. Account Information Service Providers
These let you see all of your account information from different banks in one place and offer features such as budgeting help and product recommendations. This could include budgeting apps and price comparison websites.
2. Payment Initiation Service Providers
These will let you pay companies directly from your bank account and not through a third party like Visa or Mastercard. This could include retailers and even tech companies like Amazon. This is the license that BigeDirect holds.
How can I check if a provider's authorized?
You can check if a company’s authorised on the FCA Register, and providers should also tell you on their website or app if they’re authorised, along with their registration number.
What if I use an un-authorized provider?
If you use a third-party provider that’s not regulated, you won’t get the same levels of protection against fraud. So if you lose money through it, your bank may not pay out. You should always check a provider before you give it access to your accounts – as above, you can do so on the FCA Register. If it’s not authorised, ask what security measures it has in place.
If you’re happy with a provider you can choose to give it access even if it’s not authorised, but you need to be aware of extra risks.
Why would I share my financial data with any 3rd party?
Let’s say you are looking for a new or better banking product – sharing your information using the new technology could make it possible for you to easily find the most appropriate product for your individual needs. Perhaps you’d like to keep better track of how much you’re spending to help you save up for that dream holiday – sharing your information with a budgeting application which, for example, could help you see at a glance how well you’re managing your hard earned cash. From January 2018, there will be an alternative online payment method. Regulated companies will also be able to make payments directly from your bank account – but only after you have given your explicit consent of course.
Is my data safe with Open Banking?
As long as they’re authorised, providers will only be able to access data needed for the service you’ve signed up to – so if you’ve asked one to look at your current account with one bank, it wouldn’t also be able to look at a credit card you hold with that bank unless you give your express permission.
Plus, all providers will have to comply with data protection rules, including new regulation coming in from May 2018. The provider should tell you exactly which data it will use, how long for and what it’ll do with it before you sign up. If you’re unsure about anything, make sure you ask before you give it access, and if something feels wrong, don’t share your data.
If you have any issues, you’ll be able to go to the free Financial Ombudsman Service – see our Financial Rights guide for more.
What if I experience fraud on my account after I've shared my data?
In the past, several banks have said that you’d be liable for fraud on your account if you’d shared your details with third parties, but the new rules mean that banks must allow you to share your details with authorised providers, and not hold you liable for fraud.
If you do see a payment out of your account which you didn’t authorise, go to your bank as it’s responsible for refunding it – as long as you haven’t been ‘grossly negligent’ – and your bank can then take it up with the third party if it thinks it’s been at fault.
The maximum you’d be liable for is £35 before you tell your bank about the fraud (down from £50 currently), and nothing after you’ve told it, so always notify your bank as soon as possible if you notice something dodgy.
However, this ONLY applies to authorised third parties, so it’s important to check if a third party’s regulated before you use it, if you’re worried about potential fraud.
How will providers access my data?
There are two main ways that third parties will access your data – screen-scraping, or application programming interfaces (APIs).
Screen-scraping is what most of the apps that are already on the market use, and involves you giving providers ‘read-only’ access to your online banking, essentially giving it your login details and letting it pretend to be you. However, it can only look at your account and can’t make any changes or move money unless you give your explicit consent.
The use of screen-scraping will continue for a transition period until around September 2019, when the use of it will be banned (subject to approval from the European Parliament) due to fears it’s not as safe as the second option, APIs.
Put simply, APIs allow people’s information to be shared, such as their location, preferences, or whether or not they’re in credit. This kind of technology is already widely used by the likes of Facebook, Google Maps and Uber. For example, Uber might use Google Maps’ API so it can work out where you and your driver are.
The CMA’s Open Banking standards will create a blueprint for banks and third parties to follow when using APIs, and there are security measures in place to keep your data safe. When you try to give a provider access, any relevant bank(s) will also check that it’s on the list of approved third parties.
So, should I use Open Banking?
It’s completely up to you. As we’ve explained above, Open Banking has the potential to revolutionise how you manage your money.
It’s for you to decide if you’re happy sharing your data with third parties in the hope of getting a better deal or being more in control of your finances, but with the safeguards in place you should be better protected than you currently are if you go down that route.
Always remember that there aren’t guarantees that any new product recommendations will cover the whole market, so check before you switch, and if you don’t want to take part, you don’t have to.