Loan application asking/requiring you to give internet banking login/passwords to third parties - experiences?

Unfortunately you are going off on a tangent talking about what should be happening rather than what actually is. Please stop taking this off topic and minimising the issue.

I think you are misreading the T&Cs that you quoted, they clearly state that they do capture those details, they say they don’t retain them in the single use case (you even bolded this section). I note that the website doesn’t let you specify “a single use” - it just immediately asks you to agree with the conditions, pick a bank, and then asks for your login and passwords.

yes, there is plenty of evidence. The T&Cs say they do it. Illion admitted it on the phone. The website explicitly asks for your login credentials.

It is totally different to what you talk about with open banking (CDR) where the user allows the ADR to access specific information after they have approved it within their own bank.

I happened to find another lender who uses this service, but in this case it is optional.

I note it claims the access is read only, but this is just an arbitrary limitation that Illion (may) have put in place. There is nothing stopping them from transacting on your account except if you have 2 factor security processes in place.


While your words seem to suggest you know what you are talking about they are totally wrong. This is not at all how works.

1 Like

The website is clear. For single use, there are no credentials captured. CDR used by BankStatements is single use.

It asks for your usual banking user ID for login. The password used is a one-off password issued by your bank for CDR purposes.

Please watch the video in my earlier post on how CDRs work for bank account data requests. It should address the issues at hand. As ILLION OPEN DATA SOLUTIONS PTY LTD (BankStatements) is accredited by the government’s CDR, it is the processes used when obtaining bank data for loan application assessment.

It would also be worth contacting your own bank and ask to speak to their CDR officer. When making contact, ask how CDR works specifically in relation to ILLION OPEN DATA SOLUTIONS PTY LTD (BankStatements).

No it isn’t. Have you actually used the website? Because I have.

End User Terms and Conditions | BankStatements says clearly that the user provides their credentials and they use them to access their online accounts:

Credentials means your account login and password.”
Online Account means and includes your account held with a bank, credit union, financial services provider or any on-line portal (such as MyGov or reward platform) in Australia and/or New Zealand.”
"In order to provide the Services, we require your consent which is obtained when you provide your Credentials, " = account login and password as above. The website explicitly asks for your internet banking user id/number and the password.

“a single use – which allows us to complete a one-time retrieval of your Account Information using your Credentials to provide the Services.” - even in the single use case, they state they use your credentials = account login and password. How could they do this if:

1 Like

Using Westpac Bank as an example, this is information on their website about how CDR works from their end…

As indicated by Westpac, there are steps needed to allow CDR to occur. They also issue single use passwords to be used with usual login IDs for CDR to occur.

The credentials are used to complete the Automated CDR process. They don’t store or use them later to login without your knowledge.

There are many examples of websites payment systems which have similar processes where credentials are used for payment but not stored. I outlined one above for Poli, which has a pop-up window within a webpage for direct logging into one’s bank. The host website doesn’t capture the login information.

As I outlined above, if you have clear evidence BankStatements is working in contrary to the government’s CDR processes, a complaint can be lodged with ACCC as they are an accredited data retriever and are required to meet these standards.

Thinking further, confusion may be arising as CDR is a relatively new process to share information across service providers. It is new to most consumers.

If the lender or BankStatements haven’t provided sufficient information on how CDR works, this could be a significant omission causing the concerns. A key aspect of CDR is single/one-off passwords and notification of the institution holding the data, to release the data (a one-off password is issued by the data holder for such purposes - this is explained in the Westpac example above and applies to all banks which are accredited fir CDR). This one-off password is used for the login by the data recipient to enable data transfer. The password is different to the password a consumer would normally use to access the same banking website.

Not providing sufficient information on CDRs and what a consumer needs to do is something which needs addressing by the lender/BankStatements if this is what has occurred.

I’m well aware of how CDR works.

What you describe simply isn’t what is happening here. There is no interaction with the institution holding the data, the user provides their regular internet banking password to who logs in as the user and gets the data via regular internet banking. I spoke to Illion who confirmed this is how it operates.

I am most certainly going to be talking to the ACCC about this.


Just to clear up what is actually going on, I’ve attached screenshots of the website in action:

This is the first screen after you enter your name and agree to the terms.

This is what you get if you click on the CBA logo:


That doesn’t make sense. The BankStatements video on the process shows that the Bank User ID and password is entered only. See screen shot below:

For most consumers they now have 2FA. Many of these 2FA require a code (from text, app, phone message) to be entered as one of the login credentials, otherwise the login is unsuccessful. If you are correct, then BankStatement Login won’t work for those who have 2FA. This would make their services fail at the first step.

As indicated above, the password will be the bank issued single/one-off password used for such purposes. Our own bank also explains a similar process to Westpac which are explained here. For our own bank (which is one of the accredited institutions listed on the BankStatement website), login using a user ID and the usual password won’t work as 2FA is required (a code entered as a login credential). It will however work with the user ID and also the one off code issued by Suncorp for such purposes.

If you have written advice from BankStatements indicating such, which would be contrary to the accredited CDR processes they have signed up to.

I will be interested to see if the ACCC respond and see what they say.

The page only shows id and password. No allowance for 2FA (Netcode)

The Commonwealth Bank uses similar processes to other banks:

As I indicated earlier, I suggest you contact Commonwealth Bank to advise that an accredited organisation (BankStatements) would like to obtain data as part of a loan application process. Ask then what is required to facilitate such a transaction/sharing to occur.

Your prospective lender/BankStatements hopefully has asked you to do similar as part of the information pack that they send to you.

Commonwealth Bank should provide you with a single use password to fulfil the request.

The other thing I would be doing is making sure that you get a copy of any data which is shared. Automated process aren’t fail safe. Asking for the data allows you to also know what information has been used to assess the application.

1 Like

I assume (since I have never been stupid enough to enter my actual details) that spoof the internet banking website or perhaps just ask for the 2FA code to be entered.

Where is this indicated? How would any end user know they should go to their bank first to generate a one time password specifically for this purpose? The website, as per your screenshot and mine, just asks for the internet banking login and password.

Going to the link shown in your screenshot above, I note the following information, in writing (my bolding):

"Our service relies on you providing your online banking credentials. We treat the security and protection of these credentials with the highest degree of importance. Our service has been audited annually by leading IT security companies. Your credentials are never stored and when being used to connect to the bank they are encrypted with bank level encryption of up to 256 bit. Immediately once the connection to the bank is made your credentials are securely discarded. We recommend that you refer to the terms of your internet banking as your rights in relation to unauthorised transactions may be limited by providing us with your online banking credentials.

We provide a read only service for the retrieving of data and do not make any transactions."

Nice to know they promise not to make any transactions while they are logged into your internet banking…


Did you even read the link? You log in to and choose the data to share on the Commbank website/app - not on a third party website. They even have screenshots from the commbank app.

Please ring C’Bank and ask for assistance. I hoped that this information was provided in information by the lender/BankStatements. Sometimes one business assumes that the other has provided such information.

Accredited CDR data recipients use one-off/single use passwords issued by a accredited financial institution. This is outlined on bank websites and the government CDR website. As BankStatements are an accredited data recipient by the ACCC, they follow the CDR standards/processes.

If BankStatements/the potential lender haven’t provided adequate information on how CDR works, I would be advising them that not doing so has given you stress and grief because of their omission…or that you chose to go elsewhere.

Until such time you contact C’Bank about the process, anything posted is based on reading between the lines or speculation.

When you have spoken to C’Bank, it will be worth hearing about the processes required to facilitate CDR with BankStatements.

For everyday consumers, ANZ does not require 2FA to login. It may use 2FA to verify some transactions, by exception.

My two pennies.

What is being suggested from one source is the intended method of approval when using CDR is for the customer to request a one time password from their bank.

What is not evident is how one goes about this or even if “BankStatements” are making it clear and obvious they are not asking for your normal password. IE they require a different one which you should obtain via XYZ procedure.

Do we need to assume the average user of the system has never heard of the CDR, nor has the ability to navigate other sources to achieve a reliable understanding? Hence it’s always going to result in the consumer inappropriately sharing their regular banking password!

Something is missing in the communication. If the CDR is a benefit to consumers it needs to be delivered in a way that ensures a critical error of sharing with a site a password they should not have any potential to capture.

I’m still none the wiser. Do I go to my bank and ask them to provide a one use passcode to give the authority to a 3rd party, read only? I’d expect who ever I’ve approached re a loan application would provide that advice first, second and third before directing me to a third party which will assess my intimate financial dealings.

My internet banking provides access to multiple accounts some of which may not be relevant or authorise transparent access to another family members accounts. Suncorp allow this as do others. How does one restrict the accounts accessible?

Here’s what my bank has to say on the matter.

The bank says multiple times that the process will not require giving your login and password, and says that doing so is a breach of the terms and conditions.


Which makes some sense.

Is the web design of the BankStatements service seriously flawed?
Should it seperate the submission of the onetime password from the request for your user ID?
Should the web design include a clarifying statement that upon entering your ID to wait until you receive an SMS from your bank with a passcode you will be asked to provide in the next screen? I’m familiar with similar user confusion proofing when going through password reset procedures etc


As outlined above, this could be the failing experienced. A failure to provide adequate information on the CDR process and what is required to facilitate for it to occur.

There is a remote chance that it has been discovered an accredited business working outside the CDR standards. If this does to light, then further action should be taken such as a complaint to the ACCC. Trying to guess what information has been provided to facilitate the transfer of data and instead trying to read between the lines is unlikely to give the real picture.

And Suncorp is the same.

I think this is the nail being hit on the head.

Poor information and assumptions users know what to do.

1 Like

In fact I am not an CBA customer, the screenshots given above were just examples. As I mentioned, I have spoken to all my banks, and just for you I called CBA as well. They universally told me they had no relationship with, not to enter my internet banking details under any circumstances, and several (including now CBA) were going to investigate further.

This is the (trimmed) entire content of the information from the lender:
"*Latest 3 months statements for your transaction, savings and loan accounts including credit/store cards. We require retrieval of these is via link below. You just need to click onto the link, enter your Registration number or client number for respective bank and the statements will be sent directly to me. This process is quick and private.

( link)"

You’ll note the lender does not mention the password that the website immediately asks you to provide and I suspect they did not know about it.

It is clear that they are not using CDR.


Perhaps a time to inhale because there is the CDR, and there is @Tungsten’s experience. They appear divergent. @Tungsten has already indicated he has contacted his and other banks and has valid concerns he is following up.

I doubt any additional opinion or references from ‘our side’ are going to enhance or inform, but once @Tungsten completes his own investigation and reports I hope he will provide an authoritative explanation be it positive or negative or in-between re concerns, suspicions, and expectations.


I think this topic has, for those following, been an eye-opener. Who knew about CDR or open banking and if you know about this, you are better armed to deal with the fraudsters.

I think this QA from my bank sums things up nicely.

"Giving your NAB Internet Banking password to a third-party breaches NAB’s Internet Banking terms and conditions.

There are different types of data sharing environments, such as screen scraping technology (using your NAB ID number and banking password) versus data sharing in the open banking environment.

When you use open banking, you won’t be asked for your banking password. A one-time password will be sent to your phone instead.

The open banking environment is a safe and secure way to share your information, and doing it this way doesn’t breach NAB’s Internet Banking terms and conditions. Both types will coexist for a while, so it’s worth being aware of which one you are using."