← Blog·Open bankingMay 20256 min read

Open banking explained: what it is, how it works, and whether it is safe

Millions of people in the UK use open banking without knowing it. Every budgeting app, cashback tool and financial comparison service that connects to your bank is using it. Here is a plain-language explanation of what it actually is and what it can and cannot do.

What is open banking?

Open banking is a system that allows you to securely share your bank account data with authorised third-party providers. It was introduced in the UK under the Payment Services Regulations 2017, which implemented the EU's second Payment Services Directive (PSD2). The framework is overseen by the FCA and managed operationally by Open Banking Limited.

The nine largest UK banks (the CMA9: Barclays, HSBC, Lloyds, NatWest, Santander, Nationwide, HBOS, RBS and Danske) were required by the Competition and Markets Authority to implement open banking APIs. Most other banks and building societies have also adopted the standard voluntarily.

As of 2024, over seven million people in the UK actively use open banking-powered services. That number has grown significantly year-on-year since 2018, and most people using it are doing so through consumer-facing apps that never mention open banking by name.

What open banking can and cannot do

What it CAN do

Read your transaction history

View account balances

See payment references and merchant names

Identify income and spending patterns

Initiate payments (only with explicit permission)

What it CANNOT do

Move your money without a separate payment instruction

Access your card PIN or online banking password

Make changes to your account

Share your data with other parties without consent

Retain access after you withdraw permission

How the connection works technically

When you connect your bank account to an open banking service, you are redirected to your bank's own authentication interface. You log in to your bank directly, using your bank's own login process. The third-party service never sees your credentials. Once authenticated, your bank creates a token: a secure, limited-access key that allows the third party to retrieve certain data from your account within defined parameters.

The token is time-limited and scope-limited. It can only access the data you consented to share, for the period you consented to. Most tokens for account reading services expire after 90 days, after which you need to re-authenticate. You can revoke the token at any time, and the third party immediately loses access.

The third party receives structured data from your bank's API: transaction lists, balances, account details. What they can do with that data depends on the terms of their FCA authorisation. They cannot share it with other parties without explicit consent, and they cannot retain it beyond the purposes covered by their data protection obligations.

Is open banking safe?

Open banking is significantly safer than the alternative most people were using before: screen scraping. Before open banking existed, many financial apps worked by asking you for your online banking username and password, then logging in to your account on your behalf to read the data. You had no way of knowing what else they might do with those credentials.

Open banking replaced that with a regulated, API-based system where your credentials never leave your bank. The third party has FCA authorisation to access specific data through a defined technical channel. If something goes wrong, you have consumer protections through the FCA regime.

How to check if a service is authorised

Any legitimate open banking service must be authorised by the FCA as either an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP). You can verify this on the FCA register at register.fca.org.uk. If a service asks to connect to your bank but is not on the register, do not connect it.

What open banking is used for

The most common consumer-facing applications are budgeting and personal finance tools (apps like Monzo and Starling use open banking-style data internally; third-party apps use it to aggregate data across multiple accounts), affordability assessments (mortgage and rental applications), and fraud prevention.

For financial inclusion specifically, open banking is important because it makes financial behaviour legible in a way that was not previously possible for people without a credit file. Transaction history shows income patterns, payment consistency, and account management behaviour over time, without requiring a credit history to have been established first. This is why it forms the foundation of what Equiscore does.

How to revoke access

You can revoke an open banking connection in two ways: through the third-party service's own account settings (there should be a way to disconnect your bank account), or directly through your bank. Most UK banks have an "open banking permissions" or "connected apps" section in their app or online banking where you can see all active connections and revoke them individually.

Revoking access does not delete any data the third party already holds. It stops them accessing new data from that point forward. If you want them to delete historical data, you need to submit a deletion request to the service under UK GDPR.

Related reading

How Equiscore uses open banking to build your Trust PortfolioPrivacy & security: how we protect your data

Equiscore uses open banking to verify your financial behaviour

Read-only, FCA-regulated, and entirely in your control. You can disconnect at any time.

How it works