When a local loan company asked Alan Goodwin, a man from Palmerston North, for the password to his bank account, he fled into the hills.
Goodwin was seeking a car loan from non-bank lender Better.co.nz. The company told him that the loan could only be approved after he provided his financial information to an external website, “bankstatements.co.au”.
The site asked for his full name, bank, customer number and password. Fearing the website was a scam, Goodwin did not fill out the form.
But the lending company and company behind “bankstatements.co.au” have maintained their claim as standard business practice, causing serious concern among IT security experts.
*Risk businesses as identified vulnerability in popular software
* Single mother issues warning after being victim of text message scam
* Approximately 30,000 phone users report receiving “FluBot” scam text messages
A spokesperson for banksstatements.com.au said requesting bank passwords was a standard and secure way to extract financial data from a person’s bank account.
Goodwin had none of that.
“Even if this company were legit, it’s such a shocking business practice to hold this private information. It doesn’t matter how secure they are,” he said.
Goodwin works in IT and says he knows full well that you should never give out your banking password to anyone on the internet.
“I wouldn’t give my password to bank staff if they asked me, I wouldn’t provide it to the government. Why would you give this information to a third party, ever? said Goodwin.
Nadia Yousef, incident response manager at CERT NZ agrees with Goodwin, calling the request for bank passwords a “highly unusual business practice”.
“Giving your banking password to anyone is giving them the keys to the kingdom. It’s your personal information, your money, and you have no control over what a third party does with it,” Yousef said.
She said no one should ever share their bank password with a third party, especially not for the convenience of not having to log into an account and print their own bank statements.
“I can certainly appreciate the convenience of a quick online process, but that doesn’t outweigh the risk of sharing this information with anyone. There are so many downsides to doing this, and so few positives. Our position is that it’s just too risky,” Yousef said.
Samuel Cavanaugh, the owner of lending firm Better.co.nz, backed the demand for bank passwords as an “industry standard”.
“This process, which allows customers to provide access to their bank details, allows us to streamline the loan application. It’s a very common product in the New Zealand market,” he said.
Tougher lending laws due to new credit agreement legislation and the Consumer Finance Act (CCFA) means lenders are using it more than ever, Cavanaugh said.
“The tightening of lending laws on December 1 has made the request for customer information more and more necessary. Well over half of our customers provide us with their bank statements through this service,” Cavanaugh said.
Australian credit-checking agency Ilion, the company behind ‘bankstatements.com.au’, said hundreds of financial institutions in New Zealand were using their technology to access people’s bank accounts.
The process, which Illion says is 100% secure, has been called “digital data capture”. This was a consumer-authorized process in which an automated system extracted data through a banking portal on behalf of the consumer.
Lyn McMorran, director of the Financial Services Federation, said like it or not, it was the best way to quickly access customer banking data required under CCCFA laws.
She said it was also possible for customers to log into their bank account themselves and send their own bank statements, but said most customers opted for the simpler option.
“If you’re at a car showroom and want to buy the car from the lot the same day, you might not have time to upload your own bank statements. This method gives the loan company what they need in a 100% secure way,” she said.
McMorran said new lending laws and additional data required from lenders will mean we’ll see more and more places asking for your private details.
“It’s going to happen every time someone goes to get financing from a non-bank lender. It’s been going on for years and it’s going to accelerate. It’s the only way for non-bank lenders to access to the information they need.
“Unless the customer obtains their transactional information themselves,” McMorran said.
New Zealand Bankers’ Association chief executive Roger Beaumont said banks’ terms and conditions usually include not sharing your bank account access details with anyone.
This means that any customer who has canceled these terms and conditions would not be eligible for fraud coverage from their bank, if they were subsequently defrauded after sharing their bank password.
As for Goodwin, he planned to take out his car loan with a company that does not ask him for his bank password.
“There may be a change in loan law requiring more information, but that’s no excuse for asking customers to do something so dangerous,” Goodwin said.