Guide · 6 min read

What open banking actually shares

Connecting a bank account to an app sounds like handing over the keys. Under European law it is closer to handing over a photocopy, for a fixed period, that you can shred at any time.

The hesitation is completely reasonable. An app asks to connect your bank, you get bounced into your banking app, you approve something, and you come back not entirely sure what you just agreed to. This guide is what you just agreed to.

The one-sentence version

The app can read your balance and transactions. It cannot move money, it never sees your banking password, and you can cut it off from inside your own bank whenever you like.

An arrow labelled READ carries a document from a bank to a phone. A return arrow labelled NEVER WRITE is crossed out.
The permission travels one way. Payment initiation is a different licence entirely.

Who is allowed to ask

In the EU this is governed by PSD2, the second Payment Services Directive. It created a licensed role called an AISP, an Account Information Service Provider. An AISP is a company authorised by a national financial regulator to request read-only access to your accounts, on your instruction.

The licence matters. It is not a terms-of-service promise; it is a supervised permission with capital requirements, audits and a regulator that can withdraw it. Most apps you meet, including Pocket Pivot, are not themselves the AISP. They work through a licensed provider that holds the licence and the bank relationships. Pocket Pivot uses Enable Banking.

What actually happens when you press connect

  1. The app sends you to your bank’s own login screen, not its own.
  2. You authenticate the way you always do: your bank’s app, a card reader, Face ID. This is Strong Customer Authentication, and it happens entirely inside your bank.
  3. Your bank shows you which accounts you are about to share, and you pick them. Your bank decides what appears on that list, not the app.
  4. Your bank hands the licensed provider a token: a limited, expiring key scoped to reading those accounts.

At no point does the app see your banking password. It could not initiate a payment if it wanted to: the token does not carry that permission. Payment initiation is a different PSD2 licence with a different consent screen, and you would notice, because your bank would ask you about a payment.

The Pocket Pivot bank picker, listing banks available in the Netherlands.
You choose the country and the bank. Everything after this happens inside your bank.

How long the permission lasts

Consent expires. Since 25 July 2023, EU rules require you to re-authenticate with your bank at least every 180 days for an app to keep reading your accounts.1 Before that amendment it was 90 days, which is why older articles say 90. If your bank detects an elevated risk of fraud it can force a fresh authentication at any time.

Nothing has to expire for you to end it, though. You can revoke access from inside your own banking app, under a heading like “third-party access” or “connected apps”. That works even if you deleted the app that asked. Deleting the app in Pocket Pivot’s case also deletes the connection and the local history it built.

The 90-day limit nobody warns you about

Here is the one that surprises people, and it is worth knowing before you connect.

The rule that lets an app read your accounts without a login every time also limits what it may read to your balance and roughly the last 90 days of transactions.1 Many banks are more generous and return one or two years of history on the first connection. Some return exactly 89 or 90 days and no more.

This is a property of the bank, not of the app. It means a spending app can genuinely be unable to show you last year: not because it lost the data, but because the bank never sent it. Pocket Pivot tells you explicitly when a bank has truncated your history this way, rather than quietly showing you a shorter calendar and letting you assume it is complete.

What the app can and cannot see

The questions worth asking any app

Before you connect a bank to anything, these four answers should be easy to find:

For what it is worth, Pocket Pivot’s answers are: Enable Banking; on your iPhone, in local storage, with credentials in the iOS Keychain; nothing is sold or shared; and Settings has a delete-everything control that clears connections, transactions, insights and widget data from the device. Read the privacy policy and hold us to it.

The one thing worth remembering

Open banking is read-only by construction, not by promise. The permission you grant is narrow, it expires, and you hold the off switch inside your own bank. That is a meaningfully different thing from giving an app your password, which, incidentally, is what screen-scraping apps used to do, and what PSD2 was written to end.

Sources

  1. Commission Delegated Regulation (EU) 2022/2360, amending the PSD2 Regulatory Technical Standards on Strong Customer Authentication. Applicable from 25 July 2023; introduces a mandatory SCA exemption for account access, renewable every 180 days, scoped to balance and the most recent 90 days of transactions. European Banking Authority

Connect a bank, or do not

Pocket Pivot opens with sample data. You can use the whole app before connecting anything.

Stay informed about early access

Pocket Pivot is a spending-awareness tool. Nothing here is financial, investment, tax or legal advice, and it is not a substitute for your bank’s own terms.