Jack Wilson, Head of Policy & Regulatory affairs at TrueLayer
Total open banking volumes are increasing: for the first time in February of 2021 alone, more than one million open banking payments were processed – compared to 300,000 for the whole of 2019.
At the same time, card fraud is proliferating. According to data from the European Central Bank, card fraud is highest in the UK, with €10,414 lost per 1,000 people. This is impacting confidence in cards as a payment method, with 55% of consumers saying they worry frequently about fraud when buying something online.
As open banking payments become more ubiquitous in the UK, and more merchants offer it at the checkout, it’s important to understand: how secure are open banking payments, and what protections do they offer when something goes wrong? Let’s take these questions in turn.
Open banking payments are inherently secure and built for online:
When a customer confirms their purchase and chooses open banking payments at checkout, they are sent to their bank’s app to strongly authenticate, usually with biometrics. This means their bank checks that the customer owns the phone or computer they are paying from, and uses fingerprint recognition or face ID before the payment is authorised. Open banking payment providers have been required to use strong customer authentication (SCA) since March 2018. Card issuers in the UK are not required to use SCA until September 2021.
With open banking payments, the only details transmitted are payment instructions, which are sent securely to the customer’s bank, rather than the merchant. With card payments, in contrast, the customer shares their long card details with a merchant and these details are all that is needed for an unscrupulous merchant, or hacker, to process unauthorised transactions. This has led to over 2 million cases of card fraud in 2020, valued at £574m (according to UK Finance).
When customers choose to pay a merchant using open banking, the payee details are pre-populated by the open banking payment provider, who has a contract with the merchant. This eliminates the possibility that funds could go to the wrong place, or that the customer could be tricked into paying a fraudster.
Open banking payments are safe by design, but no online purchase is 100% risk-free. In the event that something does go wrong with a payment, are you protected?
The short answer is yes. There are two types of protections which cover you when you buy something online:
This is always the case – no matter what payment method you choose.
Let’s look at these protections in more detail and how they apply specifically to open banking.
When something goes wrong with a payment:
The Payment Services Regulations in the UK provide strong legal protections for customers using open banking payments.
When the customer makes a payment this way:
In addition, open banking providers must have complaints procedures in place in case a customer is not happy with how their payment has been handled. If the customer is not satisfied with how the complaint is handled, they have the right to escalate to the Ombudsman who can award compensation.
When something goes wrong with a purchase aka ‘buyer protection’:
The protections here kick in after you authorise a payment to a merchant, when what you paid for does not arrive, or is not as described.
Whatever payment option you use, you have legal protections under the Consumer Rights Act 2015. This entitles you to:
A huge benefit of TrueLayer’s open banking solution PayDirect, is the speed at which customers can receive a refund if there is a problem with a purchase. Unlike card refunds which can take between 2-7 days to process, once a merchant has agreed to refund a customer, using PayDirect they can send the funds back instantly.
When using a card, there is an additional option for customers in the event of a purchase dispute. If you use a card and the merchant refuses to refund, you can ask your bank (the card issuer) for a refund, known as a ‘chargeback’.
Bank transfers have been developed along different lines to card payments. When a customer makes a bank transfer, they give instructions to their bank (eg send money to X sort code, y account number), which their bank is obliged to act on. Once the bank has correctly executed the instruction, they have no further involvement, or liability, for the transaction. However, if the bank makes a mistake, the consumer is eligible for a refund.
Because open banking providers instruct bank transfers on behalf of the customer, there is no built-in chargeback mechanism. However, chargeback has always been a last resort for consumers: something to call on when the communication between a customer and a merchant has broken down.
A crucial difference between card payments and open banking payments, which ensures good outcomes for customers without chargebacks, is that open banking payment providers have direct relationships with the merchants that accept open banking payments. This is different to card payments, where a card issuer has no direct relationship with the merchant, and has to rely on the card scheme to onboard the merchant.
This means that in addition to existing consumer protections discussed above, open banking providers have more control and can take additional steps to prevent the likelihood of purchase disputes and assist when things go wrong:
UK and EU authorities have supported the emergence of open banking payments in order to inject competition into the payments market. Open banking payments offer a secure, convenient and low cost option for merchants accepting payments. Not only will customers be able to shop with confidence using open banking payments, but, in the longer term, they should benefit from lower prices as a result.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
