The second Payment Services Directive (PSD2) is a relatively new piece of European regulation that aims to modernise banking and how banks deal with financial data. Open Banking is the UK implementation of PSD2; it requires all UK-regulated banks to allow you to access and share your financial data in a secure way.
An example of Open Banking in action is linking, with your permission, your current account to the Moneyed app to see your spending breakdown to make a budget. The linking is done securely via an Application Programming Interface (API) and provides Moneyed with “read-only” access to your current account transactions.
You can only safely share your financial data with companies who are regulated by the Financial Conduct Authority (FCA) and, for security, are prompted every 3 months to re-authorise the linking of your financial accounts.
To gain “read-only” access to your bank accounts, the FCA requires companies to be registered as an Account Information Service Provider (AISP). Moneyed is registered as an Agent of AISP with the FCA (reference number 926576).
Moneyed’s regulated status means that banks and other financial institutions that provide payment accounts must allow their customers to securely access their accounts via Moneyed.
Whilst Open Banking requires that financial institutions provide APIs, accessing the APIs requires a huge maintenance effort. So that the team at Moneyed can focus more time on promoting financial wellbeing, we have partnered with Moneyhub to enable us to securely access well-maintained APIs.
Moneyhub was one of the first services globally to offer true, secure, Open Banking integrations powered by APIs. They are founding members of one the industry bodies that are working to set the standards for Open Banking and are fully regulated by the FCA (reference no. 809360).
Wherever possible Moneyhub will always use Open Banking APIs to link your accounts. Open Banking sets standards for banking APIs, but the legislation only covers banks, and specifically only current accounts. The legislation doesn’t cover providers of mortgages or even other account types at the same bank, for example. Also, not every bank has their API ready. For the accounts and providers that aren’t ready for APIs, Moneyhub uses an aggregation partner, Yodlee.
Yodlee are supervised by the US Banking Regulators (a body similar to the UK’s FCA), provide a trusted service to more than 850 organisations throughout the world, and have a proven 16-year track record of keeping user information safe and secure.
We believe your data is your own - we don’t sell your data to third parties. We might be obliged to share parts of your data with third parties, for Know Your Customer (KYC) checks or with institutions that require the information for legal reasons, but we will not profit from selling your data.
We use your data to help you build a personalised financial plan for the future; this includes, but is not limited to, budgeting, short- and long-term planning, personalised insights, and future wealth projections. We may also anonymise and aggregate your data, so that we can give you information about “people like you” (e.g. “people of a similar age and salary to you have this amount of money in their pension”) and further enhance the financial insights we provide.
Moneyed is built with privacy and security at the core of everything we do. Your data is always encrypted and stored securely on Moneyed servers in the UK. Should you link your financial accounts, our partners may also encrypt and securely store your data. If you unlink a financial account we will delete the data associated with it. If you unlink all financial accounts from the same provider, we will delete the Open Banking connection, in addition to the data.
At any point, you can email us at firstname.lastname@example.org to get a copy of the personal data we hold; ask us to correct inaccurate data; withdraw any consent you’ve previously given us; or ask us to delete your data. There could be legal reasons why we are unable to grant the request to delete your data immediately; money laundering, tax evasion, and fraud regulations sometimes require us to keep the data, but we’ll make sure we are transparent about the process.
We have the same security standards as used by the banking industry.
Data that you manually enter is encrypted and transported securely via HTTPS from your device to Moneyed. Once the data is within the Moneyed infrastructure, it is transported to, and stored in, an AES-256 encrypted database securely via SSL.
Financial data from linked accounts is retrieved using Moneyhub who expose their APIs via Restful JSON endpoints. Data is encrypted and transported from Moneyhub to Moneyed via HTTPS. Once the data is within the Moneyed infrastructure, it is transported to, and stored in, an AES-256 encrypted database securely via SSL. Your login information and passwords are never stored on Moneyed servers; credentials are handled directly by Moneyhub in compliance with PSD2.
Data is stored in the UK in an AWS database, which is encrypted via AES-256. We store and process data in compliance with the UK Data Protection Act, the EU Data Protection Directive, and the general principles of the EU General Data Protection Regulation. AWS, our infrastructure provider, is fully compliant with the Cloud Infrastructure Services Providers in Europe (CISPE) Code of Conduct and uses external auditors to verify the adequacy of its security measures. AWS performs an audit at least annually in accordance with ISO 27001 standards, or equivalent, and is performed by independent third-party security professionals.
Access to Moneyed infrastructure is granted, with a least privilege model of permissions, on a case-by-case basis, and only if it is strictly necessary. Access will only be granted to full-time employees that have been trained and fully understand Moneyed policies. Access is reviewed annually and if at any time, an employee with access resigns or terminates their work with Moneyed, their credentials will be promptly and permanently revoked.
Moneyed implements general best practices such as, but not limited to, AES-256 data encryption, 2-factor authentication, remote session termination, high entropy passwords, a least privilege model of permissions, and SSH access limited to a restricted set of IPs. Moneyed administrator access to the servers hosting data and app services is permitted only by public key based SSH, with password authenticated access prohibited by the server configuration. Private SSH keys are not shared, and are stored on computers in the administrators' physical possession, which use full disk encryption. Repeated failed SSH login attempts to a single server cause the host attempting to login to be blocked.