Pay by bank account privacy notice

Last updated 23 May 2023

Pay by bank account lets you make deposits through our website without needing to enter your card details or any reference numbers. You’ll be securely transferred to your bank’s app or online banking website to approve the payment, then you’ll return to our website.

We use an FCA-regulated provider called Ecospend to securely connect you to your bank.

This privacy notice explains:

  • Which data we are sharing
  • Who Ecospend are
  • How we will keep your data secure
  • How long we will keep your data
  • What ‘lawful bases’ we use to process your data
  • Your rights

Please also read the NS&I privacy notice and the Ecospend privacy notice.

NS&I privacy notice

Ecospend privacy policy

Which data we are sharing

When you use Pay by bank account, we’ll share the following information with our trusted payment provider Ecospend:

  • the amount you want to deposit
  • your NS&I account number or holder’s number

If you do not want to share your data in this way

You do not have to use Pay by bank account. You can choose another way to top up your NS&I account such as bank transfer or standing order.

Who Ecospend are

We use a trusted payment services provider called Ecospend to securely connect with all the major banks in the UK, and most of the smaller banks too. Ecospend is an authorised payment institution regulated by the FCA.

You can find out more about Ecospend, including their FCA registration number, here:

Find out more about Ecospend

How we will keep your data secure

When you use Pay by bank account, we share your data with Ecospend using an industry-standard Open Banking API (application programming interface). Encryption keeps your data secure while it’s being transmitted. This makes sure your information won’t be revealed to anyone other than NS&I, Ecospend and your bank.

Rest assured we do not share your NS&I log in details with anyone else. Similarly, your bank doesn’t share your bank log in details with us or anyone else.

Ecospend, as with all our service providers, are required to use appropriate security measures to protect your personal information in line with our policies.

How long we will keep your data

Ecospend keeps payment transaction data for five years in accordance with payment legislation, including The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. NS&I keeps data relating to transactions for 7 years, in accordance with the Limitation Act 1980.

What ‘lawful bases’ we use to process your data

Under the UK General Data Protection Regulations (UK GDPR), we need to have specific legal reasons to collect, process and share your data. These are called ‘lawful bases’.

We’re using these lawful bases for our Pay by bank account service:


By pressing ‘Continue’ on the ‘Buy more Bonds’ or ‘Pay money in’ screens, you are giving consent for us to share relevant data of yours with Ecospend on a one-time basis for a specific purpose, ie to process a payment you’ve requested to be made from your bank account into your chosen NS&I account.


In your customer agreement (terms and conditions) we set out the ways you can make payments to your NS&I accounts, one of which is by electronic transfer.

Ecospend are legally bound by the ‘purpose limitation’ principle of the UK GDPR to only use your personal data for the purpose set out by NS&I (ie to facilitate a payment from your bank account into your NS&I account). They may, however, be legally obliged to retain some of your personal data to satisfy money laundering and financial crime laws.

Your rights

You can read about your rights under the UK GDPR, and how you can exercise them, in the NS&I privacy notice. These rights are not affected by you choosing to use our Pay by bank account service.

NS&I privacy notice

Contact NS&I or make a complaint

You can contact us if you have questions about this privacy notice or want to make a complaint.

Call us

Changes to this privacy notice

We keep our privacy notices under regular review.

If we make changes to this notice, we’ll update the date at the top of this page. Changes will apply to you and your data from that date.