Home > Identity Theft > Should You Ever Link Your Bank Account to an App?

Comments 2 Comments

Consumers routinely share their online banking passwords with third-party apps that help with everything from budgeting to tax preparation. Apparently banks would like this to stop. JPMorgan Chase posted this notice on its website in April:

“If you give out your chase.com User ID and Password, you are putting your money at risk,” says a page titled Guard Your ID and Password. “Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you’re giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.”

That’s no small threat. In other words, if one of those third parties gets hacked and a criminal takes your money, you could lose it all.

The page goes on to advise consumers who’ve already shared their passwords to immediately change them — and of course, not give the new login information to the third party.

The warning is broad, but popular sites like Mint.com, which perform item-by-item analysis of consumers’ accounts, stand to lose the most if consumers heed the warning. So I asked Mint what it thought about Chase’s post.

Holly Perez, a Mint spokeswoman, said the warning was not really new. Several banks have language in their user agreements telling consumers not to share login information with third parties. She’s right. Here is language from Capital One’s agreement:

“Sharing your Capital One access credentials (with third parties) may represent a breach by you of applicable [agreement or terms and conditions),” it reads. “One of the reasons that Capital One prohibits this type of sharing is that we may not have any information regarding the use of or security environment around this sensitive information at any third party. If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses.”

Chase’s new posting is probably the result of the recent increase in high-profile hacks, Perez speculated.

Trish Wexler, a senior vice president at Chase, agreed, and pointed out that similar language was present in the Chase user agreement long before the April post: “If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure.”

Wexler said the post was not aimed at any particular third-party service, and she did not know of any incident which led to the post. It was published out of a desire to put that provision of the user agreement into plain language. She also said the post should not be interpreted as Chase telling consumers not to use any specific service, such as Mint.

“Our job is to make sure consumers can make their own choices based on all the available information,” she said. “Clearly customers want to be able to use services like this. They need to understand there are risks associated with giving out their user name and password, be it to a third-party service or a neighbor.”

What the Law Has to Say

Those risks aren’t completely clear, however. Federal banking regulations concerning unauthorized electronic funds transfers are very consumer-friendly. Consumer liability for losses is capped at $50 or $500, depending on how quickly a consumer reports fraud once it is discovered. Even negligence doesn’t increase the consumer’s liability, banking regulators have said. For example, even writing a PIN code on a debit card doesn’t increase the consumers’ liability if the card is stolen and used to make withdrawals.

“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible,” the rules say. “Thus, consumer behavior that may constitute negligence under state law…does not affect the consumer’s liability for unauthorized transfers.”

The rules go on to say that banks cannot impose additional liability on consumers.

“The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.”

Chi Chi Wu, a banking regulation expert with the National Consumer Law Center, said consumers victimized by theft of credentials from a third-party site would enjoy the same protections as a consumer who divulged their passwords to a hacker.

“The same principles apply,” she said.

Of course writing a PIN code — or falling for a phishing email — is not a direct parallel to intentionally sharing login credentials with a third-party site. Until there is a high-profile test case, it’s hard to say what might happen. For any consumer hit by such a crime, there’s certain to be a big hassle, even if a bank ultimately refunds their money – out of a legal obligation, or free will.

The bottom line for consumers: You don’t want to be that test case. Be extremely judicious when handing out your banking credentials. If you do, be vigilant about what happens inside your bank account. Roughly speaking, you only have two days from the time a fraud appears on your regular statement to report it and be protected by the $50 liability limit. Otherwise, the limit is $500. And if you wait 60 days, the limit is … unlimited. So your real worry should be spotting and reporting fraud promptly. You should also keep an eye on your credit for signs of new-account fraud, which you can do by getting your free annual credit reports at AnnualCreditReport.com if you haven’t already. You can also check your credit scores for free every month on Credit.com to keep an eye on any changes that may signal fraud.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • http://www.danielwilson.me/ Daniel Wilson

    If banks provided a secue common API with basic functions for reading account balances, transaction history, and latest statements but without any endpoint for transfer of funds this would surely help combat the issue as apps would no longer need full access to the account (instead asking the user for their API key, which could be tucked away in their online banking options) and developers could instead build apps that work with the banks, not against them.

    • Mark S

      Yep. That’s what API’s are for. Scoped access to the necessary resources without the keys to the kingdom. OAuth what you need to, give third-parties the necessary access. FB does it, Yahoo does it, but the banks probably don’t see the incentive to integrate so they don’t embrace it.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team