Loan application asking/requiring you to give internet banking login/passwords to third parties - experiences?

I’m in the process of applying for a mortgage to buy a house. I picked a small lender with a good rate and low fees. Because of the banking royal commission, you now have to provide a lot more evidence of your expenses than previously, and I wasn’t too surprised to be asked to provide statements for all my bank accounts and credit cards so they could check where I spend my money.

What did surprise me was being asked to go to a third party website, bankstatements.com.au and enter my internet banking details including my passwords! The website has logos from all the major banks and claims high levels of encryption.

However if you look at the website terms, it does not “have an official association or relationship with any bank or banking institution accessible via the [BankStatements.com.au] website.”

It seems they take your login details and use them to log into your internet banking account and gather information - again from the terms:
“this requires us to retain and use your Credentials to access your Account Information”
“Credentials means your account login and password.”
“Account means and includes your account held with a bank, credit union, financial services provider or any on-line portal (such as MyGov or reward platform) in Australia and/or New Zealand.”

As I’m sure you are, I was horrified by the very idea of this, and couldn’t imagine how any financial institution would consider asking their customers to do this. I flat out refused to do so, and the lender stated my only other option is to withdraw my application.

The lender actually says this on their website: “If you receive an email claiming to be from a bank or other financial institution that asks you to enter your account details—delete it! (name of lender) will NEVER send an email like this.” It is ironic that they sent me the link to bankstatements.com.au via email…

I called and spoke to all my banks. They were as horrified as I was, and all stated that I must not enter my internet banking login details on the website, and that they did not have a relationship with the website. Some of them stated they would investigate the use of their trademarks without authorisation. One asked me to send details to their fraud/security team, and to also report it to consumer affairs/fair trading organisations.

One suggested that it might be a scam - and I actually called the lender to double check that the mortgage specialist I had been communicating with actually worked for them.

Now I’m cutting the lender a bit of slack for now, which is why I have not named them here.

This is a service that the lender pays the third party to provide, and in speaking to the lender, they do not seem to understand the third party is asking for passwords and logging into customer’ internet banking. They may have been told that the third party uses open banking - although not many banks actually support this system.

I’ve already talked to CHOICE about this matter, but I’ve seen online that a few other people have also been asked to give their internet banking login details to this or similar third party websites. It would help the investigation if you have any experience to share.

Has a video ‘how it works’ on their home page, which is designed to sell their services to brokers. Watching it suggests it is over the top. Some potential customers might not want a broker or anyone else to know all the details of who and where they spent, ignoring the obvious security implications you already mentioned.

I would run not just walk away from any company using this ‘service’.

Thanks for the post and flagging it, and reporting it as you posted has been done.

Who is the prospective lender who wants you to give your bank details to this third party web site?

I notice that bankstatements.com.au is given a glowing report by lower tier lenders like CashConverters not the mainstream.

Like @PhilT, I would be very nervous about using the ‘service’ especially when it appears to ask for information which may be in breach of your service agreement with your bank. If the information becomes accessible and used by others, you may be seen to be liable unless you have confirmation from your bank that this isn’t the case.

I wonder if the services of BankStatements have been engaged by the broker…independently of the lender. The broker may be using this as part of their assessment of the loan application. If this is the case, it is even more concerning as the lender may not be aware of the risks that the broker processes potentially cause.

Have you considered bypassing the broker and deal directly with the lender?

Hi phb, I am dealing directly with the lender - there is no broker involved here although I have heard that some brokers are using this service too. I have confirmed with the lender that the lending specialist who sent me the link is actually employed by the lender. I have not named the lender because at the moment I believe the lender is also a victim, due to misrepresentation by the third party service about what they actually do.

I have also received an official response to my query about this practice directly from the lender:

’ (LENDER NAME) requires certain documentation requirements for us to consider and assess an individual’s loan application. These requirements are driven by a range of factors including our credit policies, our responsible lending obligations, our practices to mitigate fraud and to enable efficient processing of applications.

(LENDER NAME) leverages [bankstatements.com.au] to retrieve and classify transactional and loan statements. It is our policy that the digital retrieval of statements via this platform is the only method that we will accept statements unless a third party financial institution that is not supported by the platform.

[BankStatements.com.au] is a platform managed by Illion that meets stringent security measures and this platform does not store customer credentials and is wholly Australian based and managed. It is also a platform leveraged by a large number of financial institutions to assist with the processing of loan applications under their own processes.

We understand this service helps us streamline our loan processing allowing us to deliver more competitive loans into the market. We also understand that some customers will not be comfortable using these platforms. As an application requirement should customers choose to not utilise the service or provide the required documents in the format we required to assess a loan under our policies we are unable to consider the loan application.

Should you want to continue with the application please provide the required documentation for us to assess the application. If you however would like to withdraw your application, please respond to myself or the Lending Specialist assisting you with your application to close the application."

You’ll note the claims that customer credentials are not stored, and that “a large number of financial institutions” use it. In another email it was stated “all the Majors” use bankstatements.com.au I haven’t talked to them all, but none of the banks I have spoken to so far, use, are associated with, or endorse the use of bankstatements.com.au.

I note some discussion about this in other forums:

https://forums.whirlpool.net.au/archive/2779303
https://forums.whirlpool.net.au/archive/92kq0043

Some other companies want your banking access details for getting data on you for various purposes.
A previous discussion…
https://choice.community/t/survey-businesses-legitimacy-questions/25697/42

Other than the possible misrepresentations actual or implied by bankstatements (TBD) and the absence of the customer giving access rights permissions to the financial institution (different from login credentials), bankstatements seems to reflect a scenario in the CSIRO conducted data rights interviews Choice helped arrange, and related to

To grant CDR access in the model used in the interview, one had to trust a pass through login to grant CDR access rights, and that pass through was devoid of logging by the ‘service’ beyond whatever was needed to link accounts to the service. A current example is when using the Victoria government energy compare site one can give the compare authorisation to retrieve your electricity usage from your grid operator. There is lots of trust required end-to-end, noting the compare site is a government entity serving Victorians not private enterprise serving shareholders.

I could not imagine our financial institutions making agreements to enable any ‘service’ to have once off or ongoing data access rights to their customers’ accounts, especially from a login that violates the privacy and security standards (giving a third party login credentials), especially in these times of 2FA. Yet I use Quicken that has agreements with many hundreds of US financial institutions to do just that -eg it can be done everyone willing. Details of implementation are not germane here but require some trust and are fairly rigorous in requiring 2FA and numerous ‘handshakes’ in the initial setups.

It is troubling the unnamed lender does not appear amicable to accept customer provided documentation, possibly because of potential forgeries yet IME banks will provide customers with what are equivalent to certified records of accounts whether gratis or for a fee that should be acceptable.

It appears the unnamed lender has their eyes wide open and has chosen their non-negotiable take it or leave policy. Hopefully the banks might take this further as it is unlikely the government will.

Neither could I.

Which is why these services use scripted ‘screen scraping’ to login as the account holder and find the transaction details option, invoke it, and parse the resulting output into a format used by their automation.

From the statement from the lender, it appears that the processes and security of BankStatements is acceptable to the lender. The lender will know how BankStatements works as it integrates with its own IT/data systems to share critical data needed to assess a loan application. It is worth noting it is unlikely lender’s branch officers will understand how BankStatements works, only those privy to its integration with the lender’s systems will. This is possibly why your customer contacts in the lender provided varying opinions/views, while the formal response from the lender set things straight.

As this is the case and their response, you won’t be in violation of the service agreement with the bank, and in effect they endorse the process being used to assess loan applications using BankStatements.

Based in this and since the login credentials aren’t stored or captured by BankStatements, the risks should be low. It is sounds similar to Poli payment system where a bank login is initiated remotely through the payment process. The businesses using Poli don’t capture any bank login details but receive data from the bank that payment has been processed successfully.

Based on the additional information which possibly should have been included in the initial post, I now wouldn’t have any issue with using BankStatements.

I think the post by @Tungsten that has this excerpt from the business somewhat makes a lie of the line that says they do not capture or retain the details

Not really, this is the full clause from the terms where selection was taken from…

Where the Services are accessed Automatically you understand and agree that:

• the Authorisation that you provide to the Service Provider can either be for:
• a single use – which allows us to complete a one-time retrieval of your Account Information using your Credentials to provide the Services. Your Account Information is encrypted and passed on to the Service Provider and subsequently discarded once no longer required, your Credentials are never retained (my bold).; or
• an ongoing use – this requires us to retain and use your Credentials to access your Account Information on an ongoing basis to provide the Services to your Service Provider.

This is consistent with that advised by the lender. A loan application would be a single use to assess an application and credentials aren’t stored.

If I was expected to allow any third party other than myself to view my bank logins I would expect them to sign a contract holding them responsible for any financial hardship I may have in the future, as there is no ironclad guarantee my credentials are not stored. And obviously immediately changing your logins

Who are you referencing as ‘they’? My interpretation is the bank(s), yet

or were you referencing the lenders, who apparently have no direct/data sharing relationship with the banks (nor apparently does bankstatement) and banks always admonish customers from sharing their passwords with any 3rd party; entering them into a blind bit of software under the circumstances might be safe, yet might be risky.

Another shoe to drop one way or the other?

The lender who has direct relationship with BankStatements. Asking any one in a bank…

Asking for opinions elsewhere isn’t helpful as they don’t know the ins and outs of the lender (in question) relationship with BankStatements which is clarified by the lender and BankStatements.

If ones usual bank allows BankStatements to mine account data from one of their account holders, the banks will have also approved/agreed with such action. If they didn’t, access will be blocked and BankStatements won’t be able to provide the services they do. With CDR legislation in place, a bank may not be able to block data requests…and would have to have specific portals to share information to meet CDR requirements.

It would be useful to know who the lender is, but for some reason such isn’t being disclosed.

Not knowing and providing selective information isn’t useful to fully understand the concerns at hand.

Further to the above on CDR, ILLION OPEN DATA SOLUTIONS PTY LTD who is BankStatements (trading name) is an approved CDR data recipient by the ACCC.

This means it has been approved and has necessary systems in place to meet CDR legislation requirements/standards.

For automated (CDR) data sharing, using login to access data through a financial institution data sharing portal ensures the data requested is of the person where CDR data sharing occurs (in effect provides consent of the data to be shared). It restricts data sharing to that particular individual rather than sharing whole data sets which may include data from individuals who haven’t provided consent for the sharing of data under the CDR.

If one has concerns about using login credentials for their financial institution to instigate automated data sharing with ACCC approved data recipients, they should contact the CDR personal in their own financial institution to allay their concerns. Asking for advice from anyone else in their financial institution is likely to be uninformed opinion and not from those in the financial institution who are familiar with the processes and arrangements required under the CDR legislation for sharing of data.

As the ‘interface’ between bankstatements and the bank is the customer’s normal login, how does anyone know what if anything has been agreed or approved?

If I had customer information excepting for 2FA issues I could have access also, could I not? Therefore how or why would anything be blocked?

It does not seem as obviously innocent to me regardless if it is innocent in ‘the system’. Even if a company was a recognised CDR participant the linkage described seems troublesome. A customer could agree to (eg. bankstatement’s) T&C and privacy policies but do they conform to and have knowledge of any subsequent CDR statements and protections between the ‘service’ and ‘the bank’?

That seems where the OP’s concerns arise.

A CDR registered participant, either data holder (ie, the account holder bank), or a data recipient (ie Illion bankstatements) would be required to use the formal API as defined in the legislation.
This is defined by the Data Standards Body, and defines the format of the API to be used to request customer data.
It does NOT involve a login and password, as that is part of an application run by your bank to confirm who you are.

If the bank Illion wants to get your details from has implemented the API, and you have consented to your information to be shared with the Illion system, then the account details are all that is required.

If on the other hand, if your bank Illion bankstatements wants to get your details from has not implemented the API, or is not a participant in CDR, or has not had your approval, then by giving your login and password to a system like Illion bankstatements, it could simply bypass all that and script a login as you.

Your bank’s online system will not know it is not you.

Of course 2FA at login time will make any third party scripting fail since it will not know the extra login one-time code required.

PS. If any organization claims that your login and password are stored securely encrypted, that data must be in plain text before being encrypted, and must be unencrypted back to plain text to be used. Both are points of interception.

Am I ever likely to provide any bank, CC provider etc login details to anyone. Never voluntarily.

I’m currently very confused by the discussion which appears to be saying it can be ok legally to provide direct access using my personal login credentials.

It is a legal issue is it not?
Whose T&C’s reign supreme?
Which legislation applies and what does it require for compliance?
Is there a loophole that needs to be closed?

As a starting point

Hence what follows also makes sense.

If the institution is asking for more than the account details, it’s sending a clear message about its understanding and respect for Australian law.

The Government’s CDR website explains how it works and is worth perusing.

You also raise 2FA. Most banks are moving towards their account holders using 2FA. If BankStatements did capture login credentials in contrary to their own T&Cs, the CDR processes/standards and information from the lender, then 2FA would significantly limit BankStatements ability to access one’s account at any time they chose in the future. The CDR processes are also automated and relevant data is transferred when consent and authorisation of access to the data is given. Authorisation is given by logging into one’s bank using a one-off password to instigate the data transfer process.

If BankStatements captured and used banking login credentials in contrary to their T&Cs and government CDR processes/standards, and used these credentials to try and login to one’s account outside the automated data transfer process, then this would be of concern. There is no evidence that this occurs. If there is evidence, then a complaint should be lodged with the ACCC through the CDR website.

It is also worth noting that BankStatenment does not use one’s login password/code to their bank. The process is that during the BankStatement CDR process, one enters their bank login ID and then the bank sends a one-off password/code to be used for the data transaction with BankStatements. This password/code is used to allow access to the data as a one off. While it might seem like that BankStatements is capturing one’s bank logins when the BankStatement requests one’s login ID, it isn’t the case. This video from the Government CDR website gives a good explanation of how the data transfer process works when accessing bank data: