HomeBlog › Is open banking safe?

Security 28 April 2026 4 min read

Is open banking safe? What sole traders need to know

When MTD software asks to connect your bank account, it's natural to hesitate. "What can it actually see? Can it move my money?" Here's a plain-English explanation of how open banking works, who regulates it, and why it's safer than older alternatives.

What is open banking?

Open banking is a system that lets regulated third-party apps access your bank account data — with your explicit permission — through a secure, standardised connection called an API (Application Programming Interface).

It was introduced in the UK under the Payment Services Regulations 2017, which implemented the EU's PSD2 directive. The Financial Conduct Authority (FCA) oversees the system and authorises every company that operates within it. The major UK banks were required by the Competition and Markets Authority (CMA) to participate.

In plain terms: open banking is a government-mandated, regulator-supervised system for securely sharing your financial data. It's not a startup idea someone invented — it's infrastructure.

The most important thing: it's read-only

For the purposes of MTD and tax software, the relevant type of open banking access is called an Account Information Service (AIS). AIS connections are strictly read-only.

An AIS app can see your transactions — dates, amounts, merchant names. It cannot:

  • Move money out of your account
  • Make payments on your behalf
  • Change your account details
  • Access accounts you haven't connected

This restriction isn't a policy choice made by the app — it's enforced at the bank's API level. A different type of open banking service, called Payment Initiation Services (PIS), can initiate payments, but only with explicit consent for each transaction, and only if you've specifically authorised that. Bart uses AIS only.

Read-only means read-only. No MTD software using standard open banking can touch your money — it can only observe your transaction history.

You never share your password

One of the biggest differences between open banking and older methods is that you never give the app your banking password.

Here's how the connection actually works:

  1. The app redirects you to your bank's own secure login page
  2. You authenticate with your bank using your normal credentials — the app never sees these
  3. Your bank issues a temporary access token to the app
  4. The app uses this token to request transaction data — it expires and can be revoked at any time

This is fundamentally different from older screen-scraping tools that required you to hand over your username and password so the software could log in as you. That approach was always risky and is now prohibited for regulated providers.

FCA regulation and what it means

Every company that provides open banking services in the UK must be authorised by the FCA. You can verify any provider on the FCA Register at register.fca.org.uk.

FCA authorisation requires providers to meet strict standards around:

  • Data security and encryption
  • Consumer protection obligations
  • Incident reporting and breach notification
  • Capital requirements and business continuity

Bart uses Finexer (FRN: 925695) as its open banking provider. Finexer is authorised by the FCA as an Authorised Payment Institution to provide Account Information Services. Bart itself is registered as an agent of Finexer on the FCA Register.

What Bart can and can't see

What Bart can see

  • Transaction dates
  • Transaction amounts
  • Merchant names and descriptions
  • Payment direction (in/out)
  • Transaction reference numbers

What Bart cannot see

  • Your online banking password
  • Accounts you haven't connected
  • Your personal details held by the bank
  • Direct debit mandates or standing orders
  • Your credit score or lending history

You can revoke access any time

Open banking connections are not permanent. You can revoke Bart's access to your account at any time — either within the app or directly through your bank's own settings (look for "connected apps" or "third-party access" in your bank's app or online banking).

Once revoked, the connection is severed immediately. No further transaction data can be fetched, and any stored access tokens are invalidated.

Why it's safer than the alternatives

Before open banking, the main way to get your bank data into accounting software was either:

  • Manual export and import — downloading a CSV from your bank and uploading it to your software. Tedious, error-prone, and easy to forget.
  • Screen scraping — giving the software your banking password so it could log in as you. Now prohibited for regulated providers because it gives the app the same access as you — including the ability to make payments.

Open banking replaced both of these with a regulated, auditable, read-only alternative. The FCA can investigate any AIS provider that misuses the data it receives. That accountability didn't exist with screen scraping.

In summary: open banking via an FCA-authorised provider is designed from the ground up to be secure, limited, and revocable. The risk profile is materially lower than either sharing your password or trusting an unregulated tool.

Connect your bank — securely, in 60 seconds

Bart uses FCA-regulated open banking via Finexer to import your transactions. Read-only access, no password sharing, cancel any time. See how it works before you commit.

Try Bart free

Frequently asked questions

Can an open banking app move money out of my account?

No — not unless you've specifically authorised payment initiation. Account Information Services (AIS), which is what Bart uses, are strictly read-only. The app can see your transactions but cannot initiate any payments or transfers. This is enforced at the API level by your bank.

Do I need to share my online banking password?

No. Open banking works via a secure API — you authenticate directly with your bank using your bank's own login, and your bank issues a temporary access token to the app. Your password is never shared with or seen by the app. This is fundamentally more secure than older screen-scraping methods.

Can I revoke access at any time?

Yes. You can revoke an open banking connection at any time — either through the app itself or directly through your bank's settings. Once revoked, the app immediately loses access to your account data.

What data does Bart actually see?

Bart can see your transaction history (dates, amounts, merchant names, and descriptions) for the connected account. It cannot see your balance in real time, your personal details held by the bank, or any accounts you haven't connected. Bart does not store your banking credentials.