™
Open Banking:
what it is and is it safe.
Open Banking is the secure, FCA-regulated way a company can share read-only access to its bank data with a lender. It is not a new login for the lender — it is a regulated consent you grant through your own bank, and revoke at any time. No lender can move money via an Open Banking consent.
How Open Banking works
Open Banking is mandated under PSD2 (Payment Services Directive 2) and regulated in the UK by the Financial Conduct Authority. It creates a standardised, secure way for a business to share transaction data without sharing login credentials.
The flow is:
- The lender (an FCA-registered Account Information Service Provider) requests access.
- The company is redirected to its bank’s own interface — in the banking app or browser.
- The company authenticates through the bank (not the lender), reviews the consent, and grants it.
- The bank generates a secure token and sends read-only transaction data to the lender.
- The company can revoke the consent at any time from the bank’s consent management screen.
At no point does the lender see the company’s banking username or password. The authentication is handled entirely by the bank.
The security protections in detail
What Open Banking cannot do
- Move, transfer or initiate any payment — it is read-only
- Access accounts not in scope of the consent
- See login credentials at any stage
- Continue access after consent is revoked
- Operate without FCA registration
Protections in place
- OAuth2 authentication — the same method used by Google Sign-In
- Every provider must be FCA-registered and listed on the FCA register
- Consent is scoped, time-limited and revocable
- Data encrypted in transit (TLS)
- UK GDPR applies to all data received by the provider
How to revoke an Open Banking consent
Revocation is immediate. Two routes:
- Through your bank. All major UK banks provide a consent management interface — typically under “Connected apps”, “Data sharing” or “Third-party access” in online or app banking. Find the lender’s name in the list and disconnect.
- Through the provider. Any request to the lender to revoke Open Banking access must be honoured immediately.
Revoking consent stops future data access. Data already received is held under the lender’s data protection obligations and the terms of the original consent.
Five steps to use Open Banking safely
- Verify the provider is on the FCA register. Search by company name or FRN at the FCA website. A legitimate Open Banking provider will be there. If not, stop.
- Read the consent scope at the bank’s interface. Provider name, data requested, duration — check it matches what the lender described. Short-duration consents (30–90 days) are normal for affordability assessments.
- Authenticate through your bank, not the lender. You should be redirected to your own bank’s app or portal. If a lender asks for your banking password directly — that is not Open Banking.
- Note the consent management location. Find where your bank lets you revoke consents before you grant one. Usually: banking app → Settings → Connected apps.
- Revoke when the assessment is complete. Optional, but straightforward. The assessment typically happens within one working day. After that, revoke the consent if you prefer to limit ongoing access.
Open Banking questions
What is Open Banking?
Open Banking is a regulated system that allows a company to securely share read-only access to its bank transaction data with a provider it explicitly chooses. It was mandated in the UK under PSD2 (the Payment Services Directive 2) and is overseen by the FCA (Financial Conduct Authority). Every provider that accesses bank data via Open Banking must be registered with the FCA as an Account Information Service Provider (AISP). Open Banking does not give the provider access to move money — it is read-only.
Is Open Banking safe?
Yes. Open Banking is a regulated framework with strong protections. The connection uses OAuth2 — an industry-standard secure authorisation method, the same approach used to log in with Google. The bank itself controls the authentication. The provider never sees your banking username or password. Access is read-only: no provider can initiate payments or move money via an Open Banking consent. Data is encrypted in transit. Consents are time-limited and revocable at any time.
What data does the lender actually receive?
The lender receives a read-only view of transaction data — typically 12 months of bank transactions, account balances, and income and outgoing patterns. It cannot see the company's login credentials, future pending payments (beyond those visible in the account), or accounts not covered by the consent. The data received is the same data the company can see in its own online banking — no more, no less.
Can the lender move money or set up payments via Open Banking?
No. An Account Information Service Provider (AISP) consent is strictly read-only. Moving money requires a separate regulatory permission — a Payment Initiation Service Provider (PISP) consent, which is a completely separate and distinct authorisation. A lender using Open Banking for affordability assessment is operating under AISP permissions. It cannot initiate any payment or transfer via the same consent.
How do I disconnect Open Banking access?
You can revoke Open Banking consent at any time, in two ways. First, directly through your bank — every UK bank with Open Banking must provide a consent management interface (usually in the online banking portal under "connected apps" or "data sharing") where you can revoke any active consent. Second, through the provider themselves — a request to the lender to revoke the consent must be honoured. Revocation is immediate: from the moment consent is revoked, the provider can no longer access transaction data.
Ready to apply?
Open Banking speeds up the affordability assessment. Apply at credicorp.co.uk.