Connecting a Credit Card - Is It Secure?

I’d really like to link my existing credit card in Monzo using the in-app feature, however, entering the credentials for my main savings / credit account really goes against the grain of Internet security 101.

I’d like people’s experiences of how this works, if they have found it beneficial and what information there is out there on how secure this process is.

Don’t get me wrong, I trust Monzo as I would any other bank but I don’t like the idea of a third party (TrueLayer) storing the credentials (in whatever form) for the place where I store my savings.

I know an easy response will be “Well if you don’t trust it, don’t use it” and that’s fair, but I’d rather get past my insecurities with helpful reassuring information and adopt this feature.

Not too sure what I am looking for, but any help will be appreciated!

Yes it is. It uses something called Truelayer using OpenBanking. This might be helpful:

1 Like

Looks good to PayPal at least. I just add my account and card to PayPal which sees it as a MasterCard. The verification code was instant! Wow! It will be interesting to see how long the payment takes to go back…
But yes, looks good.

They are not marked as ‘Authorized’ by the FCA which has me concerned.

“It cannot be determined if FSCS cover would apply to this firm. Please contact the firm directly to understand whether their products/services would be covered by FSCS.”

There’s a heap of security regulation on this under the payments services directive 2.

Check out which is the UK standards based on the EU directive.

They’re regulated by the FCA - but they are unlikely to need FSCS protection as TrueLayer aren’t handling any money on your behalf (they’re just pulling data through).

Companies like this are all up and running via the Open Banking initiative.

EDIT: from their website:

TrueLayer is regulated by the UK Financial Conduct Authority under the Payment Services Regulations 2017 as an Authorised Payment Institution to provide account information services and payment initiation services (Firm Reference Number: 793171).

1 Like

In your last screenshot it says “You’ll never be asked to give access to your bank login details or password to anyone other than your own bank or building society”.

Well, this is in direct contradiction to what is required by TrueLayer to establish a connection. They specifically ask for your username, password and memorable ID.

It ports you to your card provider. Where you enter your details should have the branding of the card provider. Mine was lloyds login screen. You are only giving those details to lloyds, for example.

1 Like

It has a green background and the Lloyd’s Bank logo but the URL of the page is

I am just extremely skeptical. As I say, Internet Rule of Thumb 101 is don’t enter your banking credentials anywhere other than the official bank’s website.

Rather than monzo, starling, lloyds, HSBC, santader, barclays all having to write the code and adhere to the open banking standards in their own ways. TureLayer set up to do it for them. It could be direct monzo to lloyds but they’d all have to run the merry-go round of making sure each other are compatible. TrueLayer provide that service. But they are just a layer. They don’t hold data they don’t need or aren’t allowed to. There are other competitors doing the same thing such as Bud. The open banking reg has been through loads of iterations and was getting pretty complex for everyone to keep up to speed. UK also set its own open banking standards before PSD2 was fully locked down and low and behold there were areas of contention. So true-layer, and others, have been dealing with that regulatory complexity on behalf of banks.

You are right to question it. That’s my two penneth worth. Wonder if Monzo could get someone from truelayer to comment

1 Like

Interesting, I didn’t even look :eyes:

fd did something years ago (internet banking plus, I recall) for other current and savings accounts.

Ahead of the curve, didn’t sign up for that at the time and I’ve no plans to do anything with Open Banking either.

Some banks/ providers are even developing their own API’s to link up with other banks and providers - its all about linking everything together and not providing separate details to third parties.

Open Banking is all about allowing the free-movement of banking data between providers - which I think is a really good think!

1 Like

I appreciate the detailed response.

Yeah, you see the Lloyd’s Bank logo and the green background and automatically assume it’s Lloyd’s website. That is how phishing sites operate (not that I am in any way saying that TrueLayer is a phishing website, just speaking comparatively).

Lloyd’s login page URL is and unlike the TrueLayer integration, it only asks you for 3 digits of your memorable ID, not the whole thing.

I understand why the credentials are needed, how else are they supposed to access your account. I just feel very funny about entering my credentials and would rather it be pulled over some sort of API.

The premise is fantastic and definitely a step in the right direction, just want to understand how my credentials are handled and stored.

This was just what I was looking for, thank you!

You’re absolutely right to question and field opinion here. If only more people did!

Ultimately, if you’re not happy, then don’t do it.

The whole open banking system has changed a lot and provides a much-needed and long overdue way for data to be transferred between companies.

As many have said, there is protection and regulation in place and I, for one, have not heard of any sort of breach or malicious activity as a result of TrueLayer being used

1 Like

Thanks guys, I’ll think on it some more.

I guess it really depends on what I am looking to gain from it and then take it from there.