When a customer logs in to their bank account via DirectID, neither we nor the business requesting verification can ever see, store or access their credentials.
Stored bank credentials are always encrypted. This means that nobody can use them to access the account. A token created using the credentials allows viewing of the account details.
At no stage can we make changes to the account or view the credentials. If the credentials are invalid, we can only delete them and ask the user to log in again.