If you choose to share your business bank statements by Open Banking, it helps to know exactly what you are consenting to, how long it lasts, and how to switch it off. This article covers the consent rules and your right to revoke. For whether to use Open Banking at all, see what Open Banking is and is it safe.
What you are consenting to
Open Banking access is read-only. When you connect, you authorise a regulated Account Information Service Provider (AISP) to let us read the transaction history on the account — up to 12 months back — so we can assess the company's affordability. We never see your online banking password, because you authenticate on your own bank's screen. The connection cannot move money: we do not take a payment from your account without your separate, per-payment authorisation at the time.
Consent expires automatically every 90 days
Under FCA rules, an Open Banking access consent expires automatically after 90 days. If we still need access at that point, you will be asked to re-authorise before the 90 days elapse. If you do not re-authorise, the connection simply lapses and we stop receiving data. This 90-day cycle is built into the framework to keep you in control — access cannot quietly run forever.
How to revoke at any time
You do not have to wait for the 90 days to run out. You can revoke an Open Banking connection at any time, with immediate effect, in either of two places:
- the Connections panel in your customer portal; or
- your bank's own app, where connected third parties can be managed and removed.
Once revoked, we stop receiving data straight away.
Revoking does not affect a signed loan
This matters: revoking an Open Banking connection does not affect any loan you have already signed. The agreement continues on the terms you accepted, and your repayments are unchanged. Revocation only stops future data sharing; it is not a way to cancel a loan, and it is never held against you.
The provider is regulated too
The AISP that carries the connection is authorised by the FCA in its own right and is subject to the same data-protection regime as us, following the standards published by the Open Banking Implementation Entity under the Payment Services Regulations 2017. If you would rather not connect at all, you can upload PDF or CSV statements instead — the decision uses the same information. Our Privacy Policy explains how the data is handled once we receive it.