Open Banking includes the practice of securely sharing financial information electronically with customer consent. It was set up by the Competition and Markets Authority (CMA) in conjunction with the largest nine UK banks on behalf of the UK Government to bring more competition and innovation to financial services. Open Banking complies to PSD2 legislation and provides the technical framework (gateways or APIs) for the sharing of bank account information with customer consent.
The second Payment Services Directive, or PSD2, is legislation adopted by the European Union in 2015 to promote the development and use of new financial technologies.
Open Banking moves us from a world where your bank controls the data they hold about you, to one where you own your data and can control how it’s used.
At Xero we’ve been delivering on the principles of Open Banking for more than 10 years. Our bank feeds have enabled small businesses to connect their bank accounts to Xero so that transaction data automatically flows in – meaning easy reconciliation and greater visibility of cash flow.
Open Banking will continue to provide this data automation to Xero small businesses and partners. In addition, the new bank feeds allow you to connect directly through a completely digital process. This means transactions are transferred through a direct connection between your bank and Xero, rather than using screen scraping.
On 14 September 2019, new standards under PSD2 were introduced. These new standards impose changes to the way third parties access data from banks. Under the new requirements, existing Xero bank feeds with Barclays, and all UK and EU bank feeds set up using Yodlee, will no longer be available. Most of these feeds are being replaced by new direct bank feeds to ensure they’re compliant with Open Banking standards.
While the new requirements came into effect on 14 September 2019, a six month adjustment period was provided by the UK’s Financial Conduct Authority in early August, which means most UK banks can continue to allow customers to use Yodlee feeds up until 14 March 2020. Barclays feeds will also continue up until 14 March 2020. Refer to this list to see the latest status of each bank feed.
As new direct feeds become available over the coming months, we’ll let affected customers know so they can switch.
Xero is registered by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP), which means we are authorised to access our customers’ bank account information when they ask us to. As an AISP we have ‘read-only’ access to bank account information, so we are simply retrieving a customer’s bank transaction data to provide an automated feed of transactions into Xero. Rest assured we do not have the ability to move a customer’s money.
Businesses that are authorised to use Open Banking, like Xero, are listed on the FCA’s Financial Services Register and on the Open Banking directory. To get listed, businesses need to go through a stringent assessment by the Financial Conduct Authority (FCA) and have systems, processes and security standards in place that meet the FCA’s requirements.
On 14 March 2020, standards introduced under PSD2 took effect. These new standards impose changes to the way third parties access data from banks. Under the new requirements, old Xero bank feeds with Barclays, and all UK and EU bank feeds set up using Yodlee, are no longer available. Most of these feeds have been replaced by new direct bank feeds to ensure they’re compliant with Open Banking standards.
Security is at the heart of the Open Banking design. Here’s how:
It’s regulated – only apps and websites regulated by the Financial Conduct Authority or European equivalent can use Open Banking.
Bank-level security – Open Banking uses rigorously tested software and security systems. You will only ever interact with your bank directly, so you’ll never be asked to give your bank login details to anyone else.
You’re in charge – you choose when you want to share your data, and for how long.
Your bank will only allow authorised and regulated financial services providers to connect with your bank account. They will also let you remove access to any business you’ve connected with from within your online banking. For security, customers will also be asked to re-authenticate their Open Banking connection every 90 days.
Yes, you can rest assured that your data is secure. Both Xero and OpenWrks have been through a stringent assessment by the Financial Conduct Authority (FCA) to become authorised Account Information Service Providers (AISPs). Each organisation has robust systems, processes and security standards in place.
When you authorise the bank connection, both Xero and OpenWrks have ‘read-only’ access to your bank account and securely move bank transaction data from your bank to Xero. Neither Xero nor OpenWrks can move your money or see your online banking credentials.
We’re committed to the security of your data and provide multiple layers of protection for the personal and financial information you entrust to Xero. To help you understand how we protect and secure data, we encourage you to read our policy on security at Xero. It includes the option to request Xero’s Service Organisation Control (SOC 2) report for formal reviews of compliance obligations and for evaluating controls relating to security, availability and confidentiality.
Due to new requirements around strong customer authentication, the new Xero feeds can only be authorised by the bank account holder or someone with authorised access to online banking.
OpenWrks has successfully delivered the first Open Banking connections in the UK and are now helping UK banks to deliver compliant Open Banking gateways for third parties to connect to.
OpenWrks is acting as a Technical Service Provider on Xero’s behalf to enable us to access Open Banking gateways. They act as a messenger between your bank and Xero. OpenWrks gets ‘read-only’ access to your bank account when you authorise the bank connection, and securely passes bank transaction data from your bank to Xero.
Neither Xero nor OpenWrks can move your money or see your online banking credentials. Your bank transaction data will remain secure. OpenWrks is fully approved by the UK’s Financial Conduct Authority.
An easy way to see if you’re connected to a direct or Yodlee feed is to check if there’s a bank logo next to your bank account on your Xero dashboard or Bank accounts screen. If there’s a bank logo, your feed is a direct feed. If there’s no logo, your feed is a Yodlee feed. Refer to Xero Central to learn more.
If you don’t have access to online banking, or you don’t know your online banking credentials, get in touch with your bank as soon as possible to set this up, otherwise you won’t be able to use Open Banking bank feeds. The process to set up online banking differs between banks but can typically take up to 10 business days.
Yodlee may continue to work with other service providers to provide Open Banking compliant bank feeds in the UK and EU. However, we’ve decided to partner with OpenWrks to bring you new direct feeds that are secure, easy to set up from inside Xero, and free of charge.
You can visit your online banking to remove any permissions that you’ve given to service providers. If you wish to disconnect your bank feed, you can do this in Xero’s Settings. However, this will not remove the permissions you have given to Xero and you will still see this in your online banking.
For more information, guides and instructions around changes to bank feeds visit our Open Banking resource centre.