CBA accused of blocking fintech Acorns in password row
Commonwealth Bank of Australia has sent alarming emails to thousands of its customers who are engaging with fintech start-ups, warning that sharing internet banking passwords could invalidate the protection CBA provides from losses on accounts relating to fraud.
But Acorns, which is competing with the banks’ retail wealth divisions, says CBA’s communication is designed to slow its rapid growth and thereby reduce competition.
CBA is “cloaking with security messages a way of being anti-competitive to the whole fintech industry,” said George Lucas, chief executive of Acorns in Australia. “It is strategically targeted at fintechs they now see are growing, and we are a major driver of that.”
Acorns, a US-based company that helps users invest spare change in exchange traded funds, has been growing its Australian users at around 2500 each week to around 130,000 since its local launch in February. Around 70 per cent of its customers are under the age of 35. It is targeting 1 million users in Australia over the next five years. Around 45 per cent of Acorns customers are also customers of CBA.
Like many other fintechs, Acorns requires customers’ bank log-ons and passwords because the fintech uses their transaction account data to provide its service. Acorns uses the US-company Yodlee to receive the passwords, which are encrypted, and then to access the data through a process known as “scraping”. Yodlee is used by many banks around the world and by ANZ Banking Group in Australia, and is regulated and audited in the US like a bank to ensure its systems are secure.
CBA sent emails to thousands of customers last Thursday after noticing Yodlee accessing various accounts. “Never share your password or client ID with anyone,” the email said. “By sharing this information, you may be increasing the risk of unauthorised access to your account and money. If you have shared your password, you should change it immediately to keep your account safe.”
Customers were pointed to a security and privacy information page on the CBA website which states the bank will “cover any loss if someone makes an unauthorised transaction on your account provided you protect your client number, password [and] NetCodes …”
Pete Steel, CBA’s executive general manager of digital, said the bank’s “first and primary duty is to our customers. Privacy and data breaches do occur, and we feel responsible for them. But who is to know, even if Yodlee is meeting certain encryption standards, what is happening with the customer’s data? … We need to get better at trusted partnerships where we can share data in a secure way but password sharing is not part of that future.”
To read more, please click on the link below…