Printed on Thu Apr 27 12:06:42 BST 2017.
As you can see from the diagram below, the Bank Control™ client
application running on your device is communicating with the Bank Control
Service rather than with banks directly. The Bank Control service works as
a proxy transforming data from banks into a protocol used by the
When you register your device with Bank Control service, two pairs of
1024bit encryption keys are generated - one by the device and one by the
service. The device and service exchange public keys and use these keys to
encrypt sensitive data and to generate digital signatures.
The generated security keys are used in addition to standard SSL
communication between devices and the service. Some data, such as
provider login details or transactions are encrypted using these keys
before they even hit the encrypted communication channel.
When you register a new provider you enter user name and passwords
you use to login to this provider. The Bank Control client application
passes this information to the Bank Control service encrypting them
The Bank Control service encrypts provider login information using a key
unique for the device and then splits resulting binary data into two parts.
One part of the encrypted provider login data is then saved in the service
database and another part is sent back to the client application and
stored in device's local database. It is technically impossible to
reinstate provider's login details from any of these parts.
When your device initiates statement synchronisation, it passes part of the
encrypted security details to the service. The Bank Control service
combines this information with data kept in its own database and decrypts
using the key unique for your device.
Bank Control service opens HTTPS connection to the Internet banking web
site of the provider and logs in using the decrypted security information.
It then parses screens and translates extracted statements before encrypting
them and passing back to the client application.
Bank Control service does not keep details of your accounts or transactions. It
works rather like a proxy between your device and banks. From banks
point of view this is the same as you use a browser to access your
From the client point of view the Bank Control service works as a "proxy"
which also implements some custom transformation of the transmitted information.
The Bank Control service does not save your transactions or login details and does not initiate
any exchange with providers on its own.
On the other hand, from banks point of view the Bank Control service works
as a "browser" which accesses the client's information only on behalf
of the client and only when the client requested to do so.