Good grief!

"Well over half our clients provide us their bank statements through this service."

Isn't it, at the very least, a violation of most banks' terms of service to give your password to a third party?

Edit: Ah, yes. Further down the article:

"New Zealand Bankers’ Association chief executive Roger Beaumont​ said bank terms and conditions generally include not sharing your bank account access details with anyone else."

Samuel Cavanaugh​, the owner of loan company Better.co.nz, stood by the request for customer bank passwords as “industry standard”.

NO. It's not industry standard practice and it's in breach of all banks' T&C's. 

Idiotic to say that it's normal, fair or even acceptable. 

Behodar:

 

Good grief!

 

"Well over half our clients provide us their bank statements through this service."

 

Isn't it, at the very least, a violation of most banks' terms of service to give your password to a third party?

 

Banks even tell you not to disclose passwords to them! 

I actually blame our banks in part for this practice (it does go on!).

If they provided the following:

• Ability to create read-only logins (ideally choosing which bank accounts it can see)
• (Open) APIs that 3rd parties can use that provide appropriate permissions (obviously with your permission to access your accounts)

Then this wouldn't be needed at all. Or even exist I imagine. POLi could also be abandoned by companies with a bit of thought!

nzkc:

 

I actually blame our banks in part for this practice (it does go on!).

 

If they provided the following:

 

• Ability to create read-only logins (ideally choosing which bank accounts it can see)
• (Open) APIs that 3rd parties can use that provide appropriate permissions (obviously with your permission to access your accounts)

Then this wouldn't be needed at all. Or even exist I imagine. POLi could also be abandoned by companies with a bit of thought!

 

Open Banking is supposed to address this with API's but it's a hard and expensive slog to get there for most of the banks. 

This is really, really common. A lot of mortgage brokers will have you do this. I was asked by several when I was buying this time last year.

It's appalling and shouldn't be allowed. I believe this particular service is run by one of the credit agencies, so who knows what else they do with your information once they have it.

In an amazing coincidence, just a few minutes ago I got an email at work talking about wanting to integrate POLi onto our website. For those unfamiliar, it's another 'service' where you give them your username and password.

I have a suspicion that my response may have put the cat amongst the pigeons.

Handsomedan:

 

Open Banking is supposed to address this with API's but it's a hard and expensive slog to get there for most of the banks. 

 

They've literally had years to implement something - even just a read only login. TBH: I have no sympathy for them.

MadEngineer: This is what our mortgage broker requested we use. They got a no. Nothing hard about downloading csv files

https://bankstatements.com.au/

A bit ambiguous, but I read it that illion/bankstatements is the agency your broker wanted you to use. I would not go there either. It all looks really nice with loads of bank logos splashed everywhere.

From their video:

"bankstatement is a user authorised service so your customer is effectively authorisation us to log in on their behalf securely to retrieve their transaction data and send it straight to their broker."

He then goes on to say it is encrypted, and all login info is deleted as soon as the process is completed. Etc etc. All nice weasel words.

Some of the issues

 

1. You are entering your bank login details into their website, which then retrieves the data from the bank account(s). There is nothing in my bank's T&C that give Illion an exception allowing this to happen.
2. They say their software is security checked etc etc, so completely trustworthy. See point 1.
3. “authorised service”. Authorised by whom? The customer? See point 1. By the bank? See point 1.
4. Illion is a credit check agency.  Nuf said.

Purple Visa (The Warehouse Money) use this site also

Handsomedan:

 

nzkc:

 

I actually blame our banks in part for this practice (it does go on!).

 

If they provided the following:

 

• Ability to create read-only logins (ideally choosing which bank accounts it can see)
• (Open) APIs that 3rd parties can use that provide appropriate permissions (obviously with your permission to access your accounts)

Then this wouldn't be needed at all. Or even exist I imagine. POLi could also be abandoned by companies with a bit of thought!

 

 

Open Banking is supposed to address this with API's but it's a hard and expensive slog to get there for most of the banks. 

 

 

 

HSBC & Barclays managed in the UK, sure they could manage it here.

michaelmurfy: Alan did the right thing here. If you enter your banking password on any third party site (POLi and Account2Account included) you’re breaching the terms of your internet banking agreement meaning your bank will not cover you for any fraud via internet banking.

Which makes me wonder where do password managers (Lastpass etc) fit in here? Technically a 3rd party site has my banking login but I feel the strong password he generated for me is more secure than anything I could dream up.