Consent is a vital aspect of open banking. It puts customers in the driving seat, giving them full control of their data. Financial data belongs to customers, not the banks.
Therefore, customers have the right to share their data with service providers and other open banking participants at their discretion in a secure and easy way.
Open banking participants require customers’ explicit consent before the customer is redirected to their bank or account provider. Customers log in to their bank’s website or mobile app to select what information they wish to share. Open banking allows end-consumers to only share their consent (not credentials).
Changes to the 90-day reauthentication rules
- Previously, consent only lasted up to 90 days; users needed to reauthenticate or re-consent due to PSD2 regulations.
- Now, end-users re-confirm that they are happy to continue sharing data from their connected bank account(s) with the Account Information Service Provider (AISP) following changes to the 90-day reauthentication rules.
Note: Open banking participants need to reconfirm customer consent no later than 4 months after the new rules.
Is open banking consenting secure?
How open banking consent works
Consent allows third parties to access a customer’s account for information sharing or to make a payment on behalf of a customer.
- Depending on the bank, customers using a mobile banking app will be able to use biometric authentication, if available.
- Alternatively, customers may authenticate following their bank’s on-screen instructions.
- Once authenticated, customers can select the account(s) they want to share or pay from.
- Customers will then give consent via the app or website to share their financial data.
Sharing of open banking information
The sharing of open banking information requires customers to consent. During this process, the customer can select one or more bank accounts to share with the relevant third party.
With a customer’s explicit consent, data can be shared from any ‘payment account’ (current accounts, credit cards, prepaid cards and some savings) that the customer holds. These accounts must be accessible online or by mobile, such as personal and business current accounts, credit cards and online e-money accounts.
What customer data is accessible?
With a customer’s consent, accessible data includes (but is not limited to):
- Account name
- Account number and sort code
- Full name of all account holders
- Card number for credit cards only
- Account balance and currency
- Direct Debits
- Standing Orders
- Recurring payments
- Future-dated payments
- Details of payee agreements set up
- Incoming and outgoing transactions, including salary, subscriptions, and payments into savings
- Statement details
- Any benefits, offers, rewards, fees, charges, and interest
Can customers’ data be changed at the source?
No, the information can only be read by the authorised third party and is available on a request only basis. This means that the third party can only request information from the bank and cannot pass information back to the bank.
Can data be shared without consent?
No, valid customer consent must be in place.
Can customers remove consent?
Yes, customers can remove consent at any time by either contacting their bank or through the company they’ve granted access to read their data.
How is open banking data stored?
The data provided by the bank is encrypted and adheres to all GDPR regulations. It will only be kept and used for the purposes consented to by the customer.
Consent is an important aspect of open banking, keeping customers safe and in control of their data.
If this has raised a few questions or you would like to explore open banking, then please do get in touch. We have the knowledge, product, team and experience to get open banking data and payments working for you.