Is Open Finance Safe? Everything You Need to Know Before Sharing Bank Data

You want to get your finances organized. You want to see all your transactions in one place, without logging into five different banking apps every day. But when it comes time to connect your bank account to a service like Manio, the questions start: "what if they steal my money?", "what if the company gets hacked?", "why would I give a company I barely know access to my bank account?"

Those are legitimate concerns. We are talking about your bank account, your money. Nobody should connect services blindly without understanding exactly what is happening behind the scenes. This article is here to give you the facts so you can make an informed decision. No sales pitch, no pressure. Just how it works.

What Is Open Finance Brasil

Before we talk about security, it helps to understand what Open Finance Brasil actually is and why it exists.

Open Finance Brasil is a regulatory framework created by the Banco Central do Brasil (BCB), the country's central bank. Established through Joint Resolution No. 1 of 2020 and expanded through subsequent regulations, it requires all major banks and financial institutions in Brazil to provide standardised APIs so that customers can share their financial data with authorised third-party services.

The key word here is you. Open Finance is built on the principle that your banking data belongs to you, not your bank. You have the legal right to share it with whichever service you choose, and your bank is required to provide a secure, standardised way to do so.

In practice, Open Finance operates through a consent system controlled by your bank. No third-party service gets direct access to your account. Everything goes through an official authorisation layer that is regulated and audited by the central bank.

Open Finance vs. Screen Scraping: Fundamentally Different

If you have ever used an older personal finance tool, you may have been asked to type your bank login and password directly into a third-party app. This is called "screen scraping" and it is, rightly, a cause for concern.

With screen scraping, the app literally logs into your bank account as if it were you. It has full access to your internet banking session: your balance, your transactions, and in theory anything you can do when logged in. For this to work, you have to hand over your password. If the service gets hacked, your password goes with it.

Open Finance is fundamentally different. Here is the comparison:

• Screen scraping: you give your password to a third-party app, which logs into your bank pretending to be you. The app gets full, unrestricted access.
• Open Finance: you log in directly on your bank's app or website. Your bank issues a limited-scope, read-only token. The third-party service never sees your password.

With Open Finance, the bank acts as intermediary: it only exposes the data you have explicitly approved, and you can revoke access whenever you want.

How the Connection Works in Practice

When you connect a bank to Manio through Open Finance, here is what happens step by step:

• Step 1: In Manio, you click to connect a bank and select your institution (Nubank, Itau, Bradesco, Inter, etc.)
• Step 2: You are redirected to your bank's official login screen. This is the same environment you normally use to access your account, with the same URL, the same SSL certificate, and the same security.
• Step 3: On your bank's screen, you approve the data sharing. The bank shows you exactly which data will be shared and for how long.
• Step 4: Your bank issues an OAuth token with a limited scope. This token allows Manio to access only the data you authorised (transactions, balances). Nothing else.
• Step 5: Manio uses that token to read your transactions and send them to YNAB, Google Sheets, or Notion, depending on how you have set things up.

At no point does Manio see your bank password. Authentication happens entirely on your bank's servers.

The Tokens Are Read-Only

This is probably the most important point in this entire article.

The tokens issued by Open Finance for transaction data sharing (Phase 2 of Open Finance) are read-only. This means that even if someone somehow obtained the token, they could not:

• Send a Pix transfer from your account
• Initiate a wire transfer (TED, DOC)
• Pay bills
• Change your personal information
• Apply for loans
• Make any financial transaction whatsoever

The token only allows reading information: transactions, balances, and the personal data you consented to share. No write operations (financial transactions) are possible with this type of token.

This is distinct from Open Finance Phase 3 (payment initiation), which does exist but is an entirely separate flow with its own consent requirements and authorisation process. Manio operates exclusively on Phase 2 (transaction data) and has no access to any payment or transfer functionality.

Who Regulates and Audits All of This

Open Finance Brasil is not a voluntary programme created by fintechs. It is a mandatory regulation from Brazil's central bank. Every participating institution must:

• Be registered in the official directory of Open Finance Brasil, maintained by the BCB
• Pass technical and security certification processes
• Follow strict encryption standards for data protection (all communication is protected by TLS/HTTPS)
• Undergo periodic audits by the central bank
• Comply with Brazil's LGPD (General Data Protection Law) regarding the handling of personal data

Institutions that fail to comply face sanctions from the central bank. This is not a trust-based system. It is a regulated system with real consequences for non-compliance.

What Happens If Manio Gets Hacked?

Fair question. Let us be direct about it.

Manio does not store your bank credentials. We do not have your password. We do not have your login details. What we have are OAuth access tokens issued by your bank, scoped to read-only data access.

If, hypothetically, someone gained access to those tokens, they would be able to read your recent transactions and balances. That is a personal data exposure, which is serious and something we treat with the utmost care. But they would not be able to move your money. Phase 2 Open Finance tokens simply do not have that capability.

Furthermore, OAuth tokens have a limited lifespan and can be revoked at any time by the issuing bank. If there is any suspicion of compromise, you can revoke consent through your bank's app and the token becomes useless instantly.

Compare this to a screen scraping scenario, where a breach would expose your actual bank password, giving full access to your account. The difference is enormous.

You Have Full Control

One of the most important aspects of Open Finance is that control always stays with you. Specifically:

• You choose which accounts to share: you can share your Nubank checking account but not your credit card, for example
• You choose the duration: consent has a defined expiration (typically 12 months). After that, access expires automatically
• You can revoke at any time: go to the Open Finance settings in your bank's app. Revocation is immediate
• You can see who has access: your bank's app shows all active Open Finance consents

If at any point you no longer want to share data, just revoke. No paperwork, no phone calls, no cancellation requests. One tap in your banking app and it is done.

Encryption and Data Protection in Transit

All communication within the Open Finance Brasil ecosystem happens over channels encrypted with TLS (Transport Layer Security). This is the same level of encryption used when you access your bank's internet banking portal.

This means that even if someone intercepted the communication between Manio and your bank's API, the data would be encrypted and unreadable. Beyond TLS, Open Finance Brasil requires mutual TLS (mTLS) with digital certificates for authentication between participating institutions, adding another layer of security.

Why Do Companies Ask for Bank Access in the First Place?

If Open Finance exists and is secure, why use a service like Manio instead of just exporting your bank statement manually?

Because Manio's purpose is to eliminate manual work. Instead of opening your banking app, downloading a CSV, and importing it into YNAB or pasting it into Google Sheets every week, Manio does it automatically. You set it up once and your transactions flow to whichever destination you chose. Manio's Trial plan includes 1 bank connection, daily sync, and 50 syncs to get you started. The Pro plan (R$20/month) gives you unlimited syncs, up to 10 bank connections, sync every 8 hours, full history, and AI categorization. There's also a 14-day free Pro trial.

To do this, Manio needs to read your transactions. And the most secure way to read bank transactions in Brazil today is through Open Finance, which was created precisely for this purpose. It is not a hack, not a workaround. It is the official channel, regulated by the central bank, with all the protections described in this article.

Frequently Asked Questions

Can Manio steal my money?

No. The Open Finance tokens used by Manio are read-only. They allow access to transactions and balances, but they do not allow Pix transfers, wire transfers, bill payments, or any kind of financial transaction. It is technically impossible to move money with a Phase 2 Open Finance token.

What if I regret connecting my bank?

Open your bank's app, go to the Open Finance settings, and revoke Manio's consent. Revocation is immediate and Manio loses access instantly. You do not need to contact Manio to do this.

Does Manio store my bank password?

No. Manio never sees your password. Authentication happens directly on your bank's servers through the Open Finance OAuth flow. What Manio receives is an access token issued by your bank, not your credentials.

Is Open Finance the same as Open Banking?

They are related terms. Open Banking was the original name of the programme in Brazil when it only covered banking data. In 2022, the central bank renamed it to Open Finance to reflect its expansion into insurance, investments, and other financial products. In practice, "Open Banking Brasil" and "Open Finance Brasil" refer to the same regulated ecosystem overseen by the BCB.

What happens if Manio shuts down?

If Manio ceases to exist, your Open Finance tokens simply expire at the end of their consent period. Access is not permanent. And you can revoke consent at any time through your bank's app, regardless of Manio's status.

Does Open Finance work with all banks?

Open Finance is mandatory for all major banks and financial institutions regulated by the Banco Central do Brasil. In practice, Nubank, Itau, Bradesco, Santander, Banco do Brasil, Caixa, Inter, C6, and many others already participate. Smaller banks and credit unions are joining gradually.

Conclusion: Understand the Real Risks

Worrying about bank security is not paranoia. It is prudence. And you are right to ask questions before connecting any service to your bank account.

What we hope this article has shown is that Open Finance Brasil was designed precisely to solve this problem: enabling secure sharing of financial data, without exposing passwords, without allowing transactions, and with full control in the hands of the customer.

Zero risk does not exist in any digital activity. But Open Finance drastically reduces the attack surface compared to alternatives like screen scraping or manual credential sharing. It is, today, the most secure way to share bank data in Brazil.

If you want to learn more about how Manio works in practice, check out our guides:

• YNAB: sync Nubank to YNAB, Itau to YNAB, Bradesco to YNAB, Inter to YNAB, and does YNAB work with Brazilian banks
• Google Sheets: Nubank to Sheets, Itau to Sheets, Bradesco to Sheets, Inter to Sheets, and how to sync Brazilian banks to Google Sheets
• Notion: Nubank to Notion, Itau to Notion, and how to automate bank data to Notion

← Back to Blog