Your peace of mind is vital, and knowing you’ve chosen a provider who places security front and centre is key.
Explore all the ways we protect you and your data below.
Open Banking Regulations
Open Banking is a series of reforms that means all UK-regulated banks will have to let their customers share their financial data such as spending habits, regular payments and companies they use with authorised providers offering budgeting apps, or other banks via an Application Programming Interface (API) – as long as they give their permission.
Customers can only safely share their financial information with people who are Financial Conduct Authority regulated. Moneyhub Financial Technology is a registered AISP (Account Information Service Provider) and PISP (Payment Initiation Service Provider) and has been granted permission to provide Credit Information Services (CIS) by the Financial Conduct Authority (FCA). Reference no. 809360.
Application Programming Interfaces will appear as a redirect from the third party app (like Moneyhub) to the customer’s banking app or banking site. It will ask if they want to allow the app to access their finances and be able to show their data for the next 3 months, and once they say yes they'll get redirected back to Moneyhub.
It's a little like signing in to another app via Facebook or Google; it doesn't change or allow unlimited access to the actual account, and they can stop access at any time from their banking app. They'll get prompted every 3 months to reconnect, so they can never accidentally leave the connection running.
Data
We encrypt all banking credentials that are put into the app and separate them from a customer's personally identifiable information. To retrieve transaction history, these details are automatically un-encrypted and used to retrieve any transaction history, before being immediately re-encrypted. We at Moneyhub don’t store any login credentials, including passwords.
Moneyhub is a read-only service, so if a Moneyhub account should fall into the wrong hands - for example, if a customer’s phone is stolen and hacked - no one can make any transactions from their account. In addition to this, to access a Moneyhub account, a pin-code, password or Touch ID must be provided to log in each and every time.
Our Data Aggregation Partner
Wherever possible, we will always use Open Banking to allow access to accounts in Moneyhub. Open Banking sets standards for banking APIs. However, the legislation only covers banks, and specifically only current accounts. It doesn’t cover providers like mortgage providers or even other account types at the same bank. Additionally, not every bank has their API ready. We know that Moneyhub is most useful when able to connect every account possible – that’s why we use another method to allow accounts to be added that aren’t ready for APIs.
We use an aggregation partner, Yodlee, to retrieve bank data, so that all transactions come through to the same place. We have chosen to work with Yodlee because they:
Are supervised by the U.S. Banking Regulators (a body similar to the UK’s Financial Conduct Authority).
Provide a trusted service to more than 1,200 financial institutions and FinTech companies, including 15 of the top 20 U.S. banks.
Have a proven 16-year track record of keeping user information safe and secure.
Our Security Procedures
We have certified ISO-27001 information security procedures. This is the same certification used by Google, Microsoft and Amazon. It is an internationally recognised standard that sets out the requirements for firms in establishing and maintaining a robust information security management system. It also provides assurance that a business with this accreditation has implemented processes and controls that are secure and have been through rigorous audits and assessments. The certification demonstrates that we as a company have adopted a proactive rather than reactive approach to managing our consumer’s data security.
This means we adopt the following processes:
A specialist Financial Service compliance team check our processes on a monthly basis.
A comprehensive risk tracker maps information asset risks back to a series of internal controls.
The principle of least privilege is applied throughout the organisation. This is the limiting of access to the minimal level that will allow normal functioning. Staff have the lowest level of user rights that they can possibly have to be able to still perform their roles.
Our Security Protocols and Techniques
Moneyhub Enterprise software teams undergo regular security awareness training and have a continual threat modelling system in place for the software.
Regular penetration tests are carried out to ensure that the system is protected against vulnerabilities, and we use best practices and open standards to ensure that we protect against common attack vectors. Notably, we use the OAuth 2.0 and OpenID Connect standards to enable token-based authorisation for all our internal services, ensuring that we don’t rely on perimeter security alone.
Access to the live system is available only to a small number of people. Any access is done via secure channels.
The Financial Conduct Authority & AISP and PISP Regulatations
Moneyhub is a registered Payment Initiation Service Provider (PISP). This means that we are regulated by the Financial Conduct Authority (FCA) and have the permission to provide account information services and payment initiation services in the UK.
This status means that banks and other financial institutions that provide payment accounts must allow their users to access their accounts via Moneyhub.
Banking Terms and Conditions
The Financial Conduct Authority (FCA) has released some information on a consumer's rights when sharing their information with a third party application, such as Moneyhub. The following is an excerpt from this information:
"Your banking terms and conditions should not prevent you from sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with AIS and PIS providers."
To see more please visit the FCA website here.
Moneyhub Financial Technology is a registered AISP (Account Information) Service Provider) and PISP (Payment Initiation Service Provider), reference no. 809360.
How We Help Our Customers With Their Security
Many of our users find that Moneyhub helps them spot suspicious activity and fraud through frequently checking their finances and categorising their transactions.
Responsible Vulnerability Disclosure
At Moneyhub, securing our systems is of the utmost importance. While we strive to ensure absolute security, we acknowledge our human propensity to overlook things. Therefore, to bolster the safety of our users, we are eager to cooperate with external Security Researchers and Bug Hunters.Here’s a guideline of how you can report vulnerabilities, and what you can expect from us if you do.All reports can be sent to security@moneyhub.com. If you would like to encrypt your mail (we suggest you do if it contains personal information), please find our PGP key at the bottom of this page.
Favourable practices:
Be mindful of maintaining the integrity of our production systems - alert us early and minimise damage if you notice any performance degradation.
Help us understand and locate the vulnerability quickly by providing supporting evidence or proofs-of-concept.
Report vulnerabilities even if you’re not 100% sure of their severity!
Write reports in well-written English, to give us a higher probability of resolution and understanding the issue at hand.
Please include any plans or intentions for public disclosure.
Unfavourable practices:
Don’t exploit vulnerabilities discovered to gain unauthorised access to data or manipulate our systems in ways that may negatively impact our users.
Maintain confidentiality and abstain from disclosing any information about the vulnerability on blogs or social media platforms until we've managed to categorise and rectify it. We prioritise user protection; however, you're welcome to publicise your findings - but only post-remediation and with our approval.
Do not attempt social engineering strategies against our employees or users.
In sharing vulnerabilities discovered and following these guidelines, we offer:
Safe harbour: we promise not to impose any legal or punitive recourse, even due to unintended harm to our systems during your investigative activities.
Respect for Privacy and Confidentiality: We uphold these principles in the highest regard and pledge never to reveal or publish any information concerning you without your explicit permission.
A timely response to your email within 5 business days.
After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
An open dialog to discuss issues.
Notification when the vulnerability analysis has completed each stage of our review.
Credit after the vulnerability has been validated and fixed.
-
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGX5aPMBDADnLN8BOfvoMfJbU4rSjp2daiP2+bwm+I1mqKMGLav7LeEfROrH
LtcggtEQaH+KxoDfl65U5Bwb6ERBTj7tpxX0pa60rTHz6mVPDvXH9qHhxGFp4Iiu
6vLTLavlgy3t3WCUcC5MwuXcb5PbN3HVxio9wlmXjmCQRmKFFu+TCA3z33l0Q3a1
v6Gb3/hfUHqZ3FbGtwzd3HKuT6DRitsG6UJJSSP2x7GnJFvmOLU9OPEjmVE12E8X
zlWisAE5NHo5MgupCr4nv3QftdQUAgzfbWrVq551YQN8fnDDRGqTt7irUeViCmTv
YkkNxmBFswKL75xn7aTMT9Tl1G9Jt/4j/fab0gPxebwFuEKlySSWEtJFY8vF2QuM
CqK6OyJFTnkhsPQ3riMk4WxWOiP62hAuzELZl9aGw2AlCjacifIbPN3WN+f8PqD2
brHoELT+P6ZclTS2bFNhlx+i4HbwCHIGgv4aVRZEY76iAZ1OPYBE++ERVp6Rmp5i
6s7vTvIBYVEs02EAEQEAAbQiSm9lIEhhcnJpcyA8c2VjdXJpdHlAbW9uZXlodWIu
Y29tPokB1AQTAQgAPhYhBMx707g4hNJSfFakwK5MS1fn7b7nBQJl+WjzAhsDBQkD
wmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEK5MS1fn7b7nqaIMANV6M0EZ
NNyB34hdOPSnYjE4pYCkBD3wl/0DWT5xwVuao6EgxGlJMVtrxcxgyW6cs8ezMr+G
GI55TxaNKirI4oL9LmXimW1Uii6um2n1JIa8+as+p/szL0fzTxOcDKREYFpThuQU
JTyUdT5rSSKxv+/l5mXh1IvJc4PAtT/lUegLkSdGQy0LvbUU9i9yw/RxUKSYcnYZ
Wb5SFoCQ6rgwFv2JVR95haM3cLDtOLVUcITdta97MdLqy1gShP4hDTU6MDhjoFC+
o4+LLzlFFDbZl9ZwgmnZu7bdR3j1henjtCor42HaKklDgSjQNUDwUg8jLhjJH6xV
OfGySt4NX9cHwbvlK9rhV5cHymHx0S8t5zrS71ekR2mdtGc9brbpHjqEqQ6bCtmU
gXgfn1N79bd3QawVgUz5wIMU6omMaawrQk+qSYS5uDhDc8iUkjsniERklYcF8eZd
vpJmcZSEeHLVo4ZCKL2U5zTvb+4LJX5zavLL9Y9rPemAo3223Z2G5FJS/LkBjQRl
+WjzAQwAvArtV9kO/qiARdWIj2HdMFbCJ6KSB02AwV9+RK2auvF6SgSKojPXoRqC
Zsx2hjKstWNyrYBENPBjWSb9JklVmhsEeoYEh7DVehArMYxeq3FlDhIccoeca3ir
BLx63DOj7yJ9lsyJ9l3AnmU/4TvsPTUEfRxHiBEGdInk8mVMyR9wKGytvQxo7BMP
rmVCjcxHybYB+NveAyy4c/y5nVbZ6tUWUjF7yoH2poAcUPfrjdLyNnlpb4DKHULw
XrK2KCkHWcD8FHq/KiN9GZboc8NfV1BtDaFRoCUE4l/Um6PE/XIMTEbxzd/reAiN
1WUHL34/e46k+sIXaDsN0am5GimR+/OCZD9JqqZErd2Z9fKLcY4xPsc18RAD4U87
IJXvz1KWR37KOm3A3cg+DJJCwNKZB4Kk8IU2vEdDYamNG5m2g2lVWo0zyY3XI59Z
yqvKriX4igaNghTCBiMbs4MA0UIjL1LrLXBSEXtFuldUmSqzuZfD2rtfTpk0vIVB
MJq7jY5HABEBAAGJAbwEGAEIACYWIQTMe9O4OITSUnxWpMCuTEtX5+2+5wUCZflo
8wIbDAUJA8JnAAAKCRCuTEtX5+2+5yNqC/9v9Cir7t7nXD7D92t4tW6rm/Y7g+J0
VRYOJTqAjNFh47p6zz6ZriifnUFslM77eM4JHh9QJUPOo3Zp2C+posR0MANVKCfh
BssFGeRK93I0wvhAR8IWTWLOm0zYZBUbAb25ztSfDArxKFzFwrYZVP9A4pqyUIvT
NHPNoY2OMAw5COozALIqQobSxZJl56Ql82phaYKXDIxso6T1eI4hTNM8HH1wBm5y
QPC6GPlduqqT/w38wAMK48LDvY3N5P6hnusSr0Q28AORsS91ou9rnCg+aoOktIzE
8xUtSMh92AnYdTiceNSFUa20h2MyE24AX+WVMCcrRVXJzU+MpOGgxwZmNey9uQOk
Pvkub2ndRjwa9f+3zOJqJ8y6WyWGLgs05sXZAOrdNqlGylJaOH1zCDcnTOdk+o+c
GeF/W0GIaRT5gvlNwiLr11nx0+cRE5rRQ4BcV0Cx7NlW/dzfrKPhXGSoT/g1wQqQ
txImTSoFefsGN4D8fu9oguVxpr/pz+Fu8/8=
=yEdC
-----END PGP PUBLIC KEY BLOCK-----