Bank credentials are only ever stored in an encrypted state. This means that the customer's bank credentials can never be used by another person to access their account.
When entered by the customer, credentials are encrypted and then stored against a token. This token is then used to view the account details. At no stage do we have the ability to update/edit the account or view the credentials themselves. If for some reason the credentials are invalid, the only solution at our side is to delete the enrypted credentials and ask the user to go through the process again.
To recap: when your customer logins to their bank account via DirectID, neither we nor the business requesting verification will ever see, store or have access to the login credentials.