Trusted by many of the UK’s largest banks, asset managers, and pension providers, Moneyhub delivers a range of regulated financial solutions with a security framework built on independent certifications, modern engineering controls, and transparent reporting.

At a glance

• FCA authorised and regulated AISP, PISP, CISP (FRN 809360 and FRN 991638 see https://www.fca.org.uk/register)
• ISO/IEC 27001 certified Information Security Management System
• OpenID Foundation member and FAPI 2.0 certified
• Regular penetration testing by a CREST-certified provider
• Coordinated vulnerability disclosure programme (security.txt and PGP)

Trust Center

For certificates, policies, penetration test attestations, subprocessor list, and additional details, visit https://trust.moneyhub.com/

Regulation and Data Access

Moneyhub Financial Technology Limited is authorised and regulated by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP), and has permission to provide Credit Information Services (CIS). Our FCA reference number is 809360 and 991638 (see https://www.fca.org.uk/register).

We deliver services using Open Banking and Open Finance data, and through direct integrations with financial institutions’ own data feeds. Open Banking access is consented and token‑based (we never see or store bank credentials); for ongoing access we request re‑consent every 90 days and access can be revoked at any time. AISP access is read‑only, and we also initiate payments as a regulated PISP with Strong Customer Authentication completed at the bank.

API and Platform Security

We are OpenID Foundation FAPI 2.0 certified. Our APIs implement mutual TLS and private_key_jwt client authentication aligned with Open Banking profiles. Our engineering practices follow a secure SDLC, least privilege, change management, and environment segregation.

Data Protection and Encryption

Data in transit and at rest are encrypted using strong, industry‑accepted standards. We apply strict access controls and logical separation, enforcing least privilege across systems and data. Hosting regions, backup approach, and retention policies are documented in our Trust Center.

Independent Assurance

Our ISMS is ISO/IEC 27001 certified; the certificate and scope are available in the Trust Center. Independent penetration tests are conducted regularly by a CREST‑certified provider, with remediation and retesting. Summary attestations are available via the Trust Center.

Aggregation beyond Open Banking

Where we don’t have open or commercial data access, such as Open Banking, which is always our preferred approach, we use our aggregation partner, Yodlee. Yodlee acts as our subprocessor. We do not store user credentials for these connections; where credential‑based access is required, credentials are managed by Yodlee. Data transfer safeguards and the full subprocessor list are available in the Trust Center.

Responsible Vulnerability Disclosure

Security researchers can find our contact details, policy, and PGP key in our security.txt (/.well-known/security.txt) and on the Trust Center. We operate a coordinated disclosure programme and acknowledge validated reports.