What Is Open Banking and How Do Bank APIs Work?
A budgeting app that somehow knows a checking account balance without anyone manually entering it relies on a behind-the-scenes handshake between that app and the bank, and how that handshake works has changed significantly over the past decade.
The short answer
Open banking refers to a framework where banks make certain account data available to outside apps and services through a standardized, secure connection called an API, rather than requiring the app to log in as if it were the account holder. The account holder typically grants permission for specific data — balances, transaction history, sometimes the ability to initiate payments — and can usually see and revoke that access later. It’s a more controlled, transparent alternative to older methods that required handing over actual banking login credentials to a third party.
What an API actually does here
An API, or application programming interface, is essentially a defined set of rules for how two systems exchange information. In banking, it lets a third-party app request specific, limited data — say, the last several months of transactions — and receive it in a structured format, without ever seeing the account holder’s actual username or password. The bank stays in control of what data is shared and can limit it to exactly what was authorized, rather than exposing the full account.
Why this replaced older data-sharing methods
Before standardized APIs became common, many budgeting and account aggregation tools relied on a method sometimes called screen scraping, where the third-party app logged into the bank’s website using the account holder’s actual credentials and extracted data from the page itself. That approach meant a password was shared with an outside company, and it tended to be fragile — a redesigned bank website could break the connection entirely. API-based access solves both problems: no password changes hands, and the connection is built to a stable, documented standard rather than scraped from a page designed for humans, not software.
What control the account holder retains
- Scoped permissions. Access is typically limited to specific types of data rather than blanket account access, and sometimes to a specific time range.
- Visible connections. Many banks show a list of connected apps somewhere in the online or mobile banking interface, making it possible to see what’s currently authorized.
- Revocable access. Permission can usually be withdrawn at any time, either through the bank or the third-party app, cutting off the data flow going forward.
- No shared login credentials. Because the app never receives the actual bank password, revoking access doesn’t require a password change the way it would with the older method.
What to weigh before connecting an account
Even with a more secure connection method, granting any third-party app access to financial data is worth doing deliberately — reviewing what data is actually being requested, whether the app’s purpose justifies that level of access, and how to find and remove the connection later if it’s no longer needed. The security of the connection method itself doesn’t replace the judgment involved in deciding which apps deserve that access in the first place.
A practical habit
Periodically reviewing which apps have standing access to a bank account, the same way one might review app permissions on a phone, keeps the list of connections limited to tools that are actually still in use.