True layer - is it really safe to use?

Hi,
I wanted to add some money to my trading account today and looked at the bank deposit option using True layer

Part of the process is to not only enter my online banking logon id but the password as well.
In all my dealings online for any other accounts I have never been asked for these credentials. Talking to my IT security manager at work he says that to do so breaks ‘every IT security rule in the book’
To give a 3rd party your internet banking details he says is nothing short of lunacy.

But on the other hand it seems like a lot of you guys use this method yourselves so it must be secure, mustn’t it?

Cheers
HL

Hey.

Monzo have an excellent page explaining how it works.

The key is that it’s read-only access they gain through the account. It’s also provides like a lever system, but the levers can only be pulled on your instruction - which you do in your banking app and not external to it.

Hi Scrooge, thanks for your reply

When they say
"We’ll access some of your account details:

• Account type (e.g. current, saving, investment, credit card)
• Account name
• IBAN/Account number/Sort code/SWIFT
• Currency
• Current balance
• Available balance (credit cards)"

I’m not sure I’m comfortable with this to be honest.
I love Trading 212 but I may have to move elsewhere so I can fund my account in a more traditional manner without incurring a 0.7% cost
HL

Fair enough. You can of course use the standard bank transfer that requires none of these details.

Sorry but that’s completely wrong.

You never give TrueLayer your online banking password or actual access details (with which they could be able to login on your behalf).

What happens when you try to setup an instant transfer via the T212 app is (simplified):

1- T212 takes you to the TrueLayer website
2- On the TrueLayer website you select the bank of the account you want to link, amongst the “compatible” banks
3- You get taken to the bank’s own website or mobile app, where you’ll login to your account via the online banking/app bank own’s infrastructure
4- On the bank’s online banking website or app, you grant access to TrueLayer by giving them a “token” (which you can revoke anytime via your bank’s online banking interface or mobile app), not by sharing to them your login credentials
5- Then you get redirected back to TrueLayer
6- TrueLayer thanks to this token gets access to read-only details about what’s in your account (i.e. they don’t get details about how you login to your account) and will be able to act as speedy middleman between T212 and your bank

And now, your bank account is linked, via TrueLayer, to T212.

Then, whenever you need to make an instant transfer, what happens is that T212 will seamlessly take you to your own bank’s online banking or app via TrueLayer (which means you won’t have to deal with TrueLayer again, they’ll literally just be a half-a-second redirect between T212 and your bank own’s login page).

The “via TrueLayer” part (that again, once you’ve set-up your account for the first time then becomes completely transparent to you) is what allows T212 to have the exact deposit amount (that you previously chose within the T212 interface) and T212 “receiving account” details showing up, pre-filled, in your bank’s own online banking site or mobile app (to which you’ll get access via logging in to your bank’s app or online banking as normal, not on TrueLayer domain). So then (after finding yourself in your online banking/app) you can just authorise the transaction (again: YOU need to authorise it, or it won’t go through) using your usual means of authentication that your bank has set-up on their own website/app.

Hope this makes it a bit clearer, and sorry for the broken English

I will add, but that’s just a personal consideration, that the fact your IT security professional of reference doesn’t know what TrueLayer is how how it works, is a bit concerning.