Banks and fintechs at war over password sharing
Micro investment company Acorns has accused ANZ Banking Group and other banks of telling customers they can’t share account passwords with the start-up, retarding its growth.
Fintech Australia, the new lobby group for financial services start-ups, has formed an “open data subcommittee” to push for changes to the ePayments Code to make it clear that bank customers can give passwords to fintechs without banks having to provide approval.
Sharing passwords with fintechs is a legal grey area.
Acorns, which invests small change in exchange traded funds, lets users see their bank account activity and round up transactions to the nearest dollar. The app then invests the “change” in an investment portfolio.
To allow the app to access account data, users have to give Acorns their bank account log-on number and password. Other fintechs such as Pocketbook and MoneyBrilliant also seek passwords from customers to let them tap transaction accounts to provide budget management apps.
Acorns, which was launched in February, has gained 68,000 users in its first two months.
However, Acorns chief executive, Australia, George Lucas said this figure would be twice as high if banks were not telling potential customers not to hand over their passwords.
Acorns is competing with bank retail wealth divisions and 70 per cent of users are aged under 35.
Acorns pointed to a Facebook response from ANZ to a customer inquiry, asking whether the account was still insured against fraud if the log-on was shared with a third-party finance website.
An ANZ customer representative replied that the bank “does not endorse or recommend the use of third-party software or websites to access ANZ internet banking”.
“This is due to the risk of providing your CRN [customer registration number] and password to a third party who may not have the same security as ANZ, therefore, potentially exposing your personal details.”
While the customer in the Facebook exchange did not name Acorns, Mr Lucas said “general statements like this from the banks are misleading as they give the impression that the terms and conditions of the internet banking would be breached, not taking account of the ePayments Code”.
That code, which is administered by the Australian Securities and Investments Commission and overrides banks’ terms and conditions, says it does not amount to a breach of the obligation on customers not to share passwords if a bank “expressly or implicitly promotes, endorses or authorises the use of a service”.
Mr Lucas said that “I am not sure how ANZ can say they do not endorse all third-party account aggregators when their products use a third-party account aggregator; the same as ours, Yodlee”.
US-based Yodlee, which employs bank-grade encryption and security, is used by ANZ for its Money Manager product. ANZ did not respond to a request for comment.