Online Services Security Centre
Third Party Providers (TPPs)
We always tell you ‘never share your Online Services details with anyone else’ but with the introduction of new services known as Open Banking you may choose to allow appropriately authorised and/or registered Third Party Providers (TPPs) access to your payment accounts with us.
Whatever you decide
It is up to you whether you choose to use Open Banking. You must give your consent to a TPP first before they can access your payment account. We have detailed below how you can make use of and manage the different TPP services available:
Services offered by TPPs
Managing this service
Account Information Services
You will need to use your Online Services security details to authenticate yourself to us in order for the TPP to obtain information on your accounts.
You can view and remove any permissions you’ve given to TPPs through Online Services.
Payment Initiation Service
If you are making a purchase online you may be provided with an option to pay directly from your bank account instead of using a debit or credit card. You will need to use your Online Services security details to authenticate yourself to us in order for the payment to be made.
|You will see the details of your payment within your payment history in Online Services.|
Some TPPs may ask for your Online Services security details to access your account information or initiate a payment on your behalf. In these circumstances the TPP will access your Online Services directly in the same way as you would.
Please note: This means we will not be able to identify that it is a TPP and not you accessing your Online Services. It is therefore very important you are satisfied the TPP is genuine.
|Permission to these TPPs can only be removed by changing your PAC.|
Card Based Payment Instrument Issuer (CBPII)
A CBPII is a payment services provider that can perform an availability of funds check on your online payment account. Before we respond to such a request you must verify with us by using your Online Services security details that you are permitting such requests on your account. You will only need to grant access to each TPP once. The response given to the TPP will be a ‘Yes/No’ answer only and at no time will this type of TPP have access to your actual account balance.
|You can view and remove any permissions you’ve given to TPPs through Online Services.|
What else do I need to know?
If you do choose to use a TPP, you should safeguard the security of your online account(s):
- by ensuring the TPP is authorised and/or registered by the FCA or another European Regulator by checking the regulator’s website.
- be aware some TPPs are not registered with a regulator, but have services you may wish to use. The FCA have given guidance to consumers on this, see below.
- by ensuring it is a legitimate site – look for the security padlock icon in the address bar and check to see it has ‘https’ as part of the address.
If you consent to a TPP accessing your account online that is not appropriately authorised and/or registered you may be liable for any loss you suffer as a result.
The FCA have given the following guidance on who can provide these new services and how you can protect yourself.
Who can provide these new services?
The FCA and other European Regulators will add AIS and PIS providers to the registers they keep of all authorised businesses. These registers are publically available.
You should be aware that companies that have been providing these services since before 12 January 2016 do not need to be authorised by the FCA until the end of 2019, so may not appear on the FCA’s register until a later date.
Before you use one of these services be alert, and make sure you are confident that any organisations you share your information with are who they say they are. You should make sure that you understand the service and that you are happy with who will be providing it to you.
How to protect yourself
We want consumers to enjoy the full benefits that these changes can bring, however there are some important things you should be aware of.
- Be alert - you should be vigilant to fraud when using online payment initiation or account information services. If you don’t know who you are talking to, or there is reason to suspect that the provider is not who they claim to be, don’t disclose your banking security credentials, or other personal or financial information.
- Read the details - always read the terms and conditions of a provider of financial services carefully before signing up, this includes the terms and conditions of AIS and PIS providers.
- Be data savvy - make sure you understand and agree with what access you are granting to your account, how the account information will be used and who it may be passed to.
- Check your statements - keep an eye on your bank statements and get in touch with your bank if you don’t recognise a payment.