How we ensured security and privacy with Instant Bank Pay
4 min read
GoCardless is an FCA-regulated financial services provider and a registered Third Party Provider of Open Banking services. We’re starting to roll out a new feature to the GoCardless payments platform - Instant Bank Pay. It’s our new way for businesses to collect one-off payments, powered by open banking.
We’ve designed Instant Bank Pay with security and privacy in mind. Getting those right is incredibly important to build trust in new Open Banking payment mechanisms: 63% of UK consumers would be open to new types of online payment options if they promised better transaction security.
You might be wondering, what is open banking? How does it work? Is open banking safe? How does GoCardless’ Instant Bank Pay feature ensure my payments are safe and secure? This article explores these areas, to give you insight into why you can pay via Instant Bank Pay with confidence.
How does Instant Bank Pay work?
GoCardless uses a direct connection to the UK banks to initiate payments. This connection allows you to authorise the payment digitally with your bank, without needing to share your password or login credentials.
To take a payment with Instant Bank Pay, merchants create a single-use payment request link, which is valid for 7 days. You receive that link, confirm your details, and GoCardless connects you to your bank to authorise the transaction via your mobile app or online banking. GoCardless will then initiate the payment, and send you an email to confirm the payment has gone through.
Though the way you authenticate payments with Instant Bank Pay is new, these payments are completed through the existing Faster Payments Service, which you’ve likely already used to transfer money to friends, family, and other businesses.
Is Instant Bank Pay secure?
When you enter your bank’s login credentials, you do so from within your bank’s native environment, whether that’s on their website or in their mobile app. Your bank uses Strong Customer Authentication (SCA) to identify you, which adds an extra layer of security to the login process and safeguards your account. As a third party, GoCardless will never ask you to provide us with your bank’s login credentials.
Money transferred through Instant Bank Pay is done so automatically via GoCardless’ direct connection with banks, which ensures the security of each transaction. Consumers should also know that FCA rules hold that banks have to treat a breach of your bank account via a third-party provider as though it were a breach of the bank itself. As a result, you’ll have the same level of protection as you would with a normal bank transaction.
How is my data stored?
The login process to approve the payment is managed by your bank, and as a result your login details are not shared with GoCardless. Neither the business, nor GoCardless, have access to any information about your account balance. Your bank will show you a summary of your payment, the amount, and who you’re paying.
GoCardless needs to keep personal data for as long as necessary to provide our services and process payments for our merchants. We also keep personal data for other legitimate business purposes, such as complying with our legal obligations, resolving disputes, preventing fraud, and enforcing our agreements. Because these needs can vary for different data types used for different purposes, retention times will also vary. Here are some of the factors we have considered to set retention times:
How long do we need the personal data to develop, maintain and improve our services, keep our systems secure, execute refunds, prevent fraudulent transactions, and store appropriate business and financial records?
Have you asked us to stop using your data or withdrawn your consent? Where we can delete the data, we will process it for only a short period after this to meet your request. If needed, we will also keep a record of your request so that we can make sure it is respected in the future.
Are we subject to a legal, regulatory or contractual obligation to keep the data? For example, we’re required to keep transaction data and other information that helps us carry out required checks, for periods of time that vary according to the underlying payments scheme. We may also need to comply with government orders to preserve data relevant to an investigation or retain data for the purposes of litigation.
For more information, please see our Privacy Centre.
Importantly, while GoCardless is required under law to save your bank details, this doesn’t mean we can take payments from you at any time. Any payments via Instant Bank Pay will always have to be approved by you, the payer.
How can I dispute charges?
Payments made with Open Banking in the UK are via Faster Payments - the same banking rails used to make a bank transfer to a business or friend. With a payment made via Faster Payments, there are 4 types of payment error: error by the Payment Service Provider, error by the Payer, error with the Goods or Service, and error due to Fraud.
Error by the Payment Service Provider: If the amount taken was incorrect, you’ll need to speak directly to the merchant. If you believe there was an error made by GoCardless, or if you receive a 500 error, please get in touch with us.
Error by the Payer: If you’ve made a payment in error, you can notify your bank. If the bank finds evidence that the payment was a mistake, you’ll receive a refund within 20 working days. If the business disputes your claim, your bank will indicate the options you have available
Error with the Goods or Service: You’ll have to dispute this with the merchant, and if you can’t come to a resolution, follow up with court action
Error due to Fraud: The contingent reimbursement model exists to compensate victims of authorised push payment fraud (where fraudsters use social engineering to trick people into payments). You’ll have to prove to your financial institution that it was fraud
To summarise this section, if you disagree with the payment, you should contact the business itself. You have the same level of protection as a payer as you normally would with your bank, so if you can’t resolve it with the business, you can go through your bank’s dispute resolution process.
Building a better experience for payers
GoCardless is using open banking to provide a better experience for payers. One of the most important considerations when developing a feature like Instant Bank Pay - which relies on innovative technology that might be unfamiliar to payers - is whether there are sufficient privacy and security measures in place that protect both consumers and businesses. We built Instant Bank Pay with three pillars of privacy and security in mind:
Protecting your account information
Protecting your data
Protecting your funds
By connecting you directly to your bank, we’re able to better safeguard your information and login credentials. We’re required to keep some of your personal data to meet our legal and regulatory obligations, but when we do so, we follow a strict privacy framework. And ultimately, Instant Bank Pay gives you final approval over what payments are made. If there’s an error, there are existing dispute resolution processes in place to help you recover your funds.
Thank you to Melissa from our Privacy & Security Team for helping me to find and organise all of the information in this blog post.