Guidance

Open Banking privacy notice

Updated 22 May 2024

The purpose of this document

This privacy notice describes how HMRC uses your personal information when you use Open Banking to make a payment or receive a refund.

You are using Open Banking when you choose to:

• ‘pay by bank account’ to pay HMRC
• get a refund from HMRC sent directly to your bank account

This notice does not relate to other ways to pay HMRC, such as making a bank transfer or paying by credit or debit card.

You should read the HMRC Privacy Notice alongside this privacy notice.

What Open Banking is

Open Banking allows you to safely pay HMRC directly from your bank account, through an authorised third-party provider.

You can also use Open Banking to get a refund from HMRC sent directly to your bank account. You can only use this refund method when you choose to get a refund without signing in to your HMRC account. It does not apply to refunds issued by cheque or through your HMRC online account.

Open Banking is a safe way to pay and receive money. HMRC uses Ecospend, an authorised payment institution regulated by the Financial Conduct Authority (FCA), to facilitate this.

Who Ecospend is

Ecospend is the third-party Open Banking provider. Ecospend is regulated by the FCA. You can find further information about them on the Ecospend website.

You can find Ecospend’s FCA registration number in the privacy policy on their website.

Why we collect your personal data

To allow HMRC to collect a payment from you, we will securely pass the following information to Ecospend in an encrypted format:

• your payment reference
• the amount you want to pay

If you are using Open Banking to allow HMRC to send you a refund, Ecospend will have one-off access to the following information:

• the name on your bank account
• your bank account number and sort code
• your transactions

Ecospend will only use your transaction data to validate your bank account (to confirm that your bank account is real and protect your security). HMRC will not collect, store, or use your data beyond this purpose.

How we share your data

We share your data with Ecospend using an Application Programming Interface (API). This is a secure way to share details without having to reveal any of your information to anyone other than Ecospend and your bank.

How we use your data

Paying HMRC

When using Open Banking to pay HMRC, Ecospend will use your data to make the payment possible from your bank account. Ecospend will fill in the payment reference and payment amount for you.

You will be asked to sign in to your online banking or mobile app and confirm which account you want to pay from. Your bank will then action the payment request.

HMRC and Ecospend cannot see or access your online banking password and sign in details. These remain private between you and your bank.

Requesting a refund from HMRC

When using Open Banking to get a refund, you will be asked to sign in to your online banking or mobile app. Once you have signed in, you need to choose which account you want HMRC to send your refund to.

Ecospend will use your data to check that your bank account is real and belongs to you. This makes sure HMRC pays the right person.

HMRC and Ecospend cannot see or access your online banking password and sign in details. These remain private between you and your bank.

If you do not want to share your data using Open Banking

You do not have to use Open Banking and share your data with Ecospend to make a payment or receive a refund.

You can choose another way to pay or ask for a refund by cheque.

How you give your consent

Paying HMRC

By selecting ‘approve this payment’ you agree to use this service and give your consent to be transferred to your bank to make the payment.

You will then be redirected to your online banking or mobile banking app to securely sign in and approve the payment to HMRC.

Requesting a refund from HMRC

By selecting ‘approve this refund’ you agree to use this service and give your consent to be transferred to your bank to process your refund.

You will then be redirected to your online banking or mobile banking app to securely sign in and confirm which account you want HMRC to send your refund to.

How your data is stored safely

The data is stored in an encrypted format and certain fields, such as the payment reference, are further encrypted.

Our third-party service providers will only process your personal information on our instruction or with our agreement, and where they have agreed to:

• treat the information confidentially
• keep it secure

You can read more about the measures we have put in place to keep your information secure in the HMRC Privacy Notice.

The security of your data with third-party service providers

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data:

• for specified purposes and in accordance with our instructions
• with our agreement

How long we keep your data

Ecospend retains payment transaction data for 5 years in accordance with payment legislation, including The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Your rights

You can read about your rights in the HMRC Privacy Notice.

Contact HMRC or make a complaint

You can contact us if you have questions about this privacy notice or want to make a complaint.

Changes to this privacy notice

We keep our privacy notices under regular review.

If we make changes to this notice, we’ll update the date at the top of this page. Changes will apply to you and your data from that date.