Loan application asking/requiring you to give internet banking login/passwords to third parties - experiences?

Ahh. Your earlier posts @Tungsten suggest you may use CBA.

How about this link of theirs

It has been for me as well and the last few days after a lot of reading/research it has been enlightening.

While there are many potential benefits to the consumer, I am concerned we may be heading towards…

where results of assessments are generated by algorithms and used as the sole basis of decisions, rather than rational oversight by a knowledgeable person.

Just one final point, as you suggested I watched the video - maybe you did not? Almost exactly where you took this screenshot the narrator clearly states “We are going to log in to this ANZ account … the customer is authorising us to log in, on their behalf”. There is no CDR here.

It also shows the “broker” sending the email link to the “customer” with no other information than “go to this link”.

I was really hoping to find out if others have come across this situation, so if you’ve been asked to do this, please put a comment in.

Going back to your original post @Tungsten, you have approached a lender who has as their evaluation process the need to check banking information from your account(s).
Their process, to use a hackneyed phrase, is what it is.

They use a third party, bankstatements, to do this data collection for them. Seems that that system uses the official data sharing means as in the CDR protocol, or if needed screen scraping using your login details.

Given that revealing your login password will in most cases be a breach of the conditions of your banking, you have a choice.

Agree to provide your login and password as part of the process, and hopefully get your loan, or decline to and go somewhere else if the prospective lender is unwilling or unable to accept the data they need from an alternate method.

Yes, I watched the video intently. The video is vague to say the least and assumes that any preparation prior to using their website has been done. They also didn’t make it clear what password to use. BankStatements uses CDR - link is at the bottom of their webpage as they are accredited. The CDR process are fall under the CDR standard which is why banks have the same steps to release data for sharing.

It is worth noting that BankStatements doesn’t have any relationship with any banks (they also state this in their FAQs). They are a service provider to gather and compile data for their clients (brokers, lenders etc). Both BankStatements and the banks have one thing in common, they are accredited by the ACCC under CDR processes for the sharing of information.

What is very noticeable from your post is the lack of information on what to do when a request for data is made by an CDR accredited data recipient. There are many regular members within the community who keep abreast of latest consumer developments. No one knew of the processes associated with bank CDR requests (including me - has been a very interesting learning experience). This shows a enormous failing as consumers aren’t aware of the processes which need to be followed.

I would have assumed that to protect the interests and security of their account holders, banks would have been active in providing information in relation to the CDR process. If it was a skeptic, I would think that the banks don’t do this as it may not be in their commercial interest. It is an enormous concern because if consumers are unaware of the process, this leads to a significant phishing risk (sites requesting actual bank login credentials).

Possibly Choice (@BrendanMays or @jhook) could take the lead or lobby the Australian Banking Association to push it members to fill the silence on the CDR processes and what is required to share bank data through the CDR. This may be a critical action to ensure consumers are protected from potential risks which could eventuate with not knowing. It is likely that CDR will be used more and more in the future by consumers and it is important that adequate communication is given to these consumers.

Choice were very active in the CDR planning and what became the legislation.

Just do a simple search for that term on the Choice site and take a look.

It then puts Choice in a great position to lobby the ABA to start educating/communicating with its account holders about CDR processes. I think this is critical as I can see the CDR process becoming a security issue when scammers/criminals prey on the lack of knowledge of Australian consumers.

The two banks we deal with (WestPac and Suncorp) have been silent in relation to the CDR processes. I expect others are the same.

Choice could also prepare media releases and articles as well.

Seems like we need to do a tafe course on how to spot scams.Or a university degree. Ha ha.

You’ve already provided evidence of your banking history by supplying account statements etc. There is no way I’d be giving them passwords! Even the banks themselves will never ask you for these. I’ve recently refinanced a property and wasn’t asked for this information.

Just hang about here for free. Tho’ in fairness this may not be a scam - more information is required.

You never give your login /password/or pin number to anyone whatsoever.
If a Person/Company asks for them run a mile.
Your financial insitution will not cover you for any loss if you have given up your access to another party.
PIN (personal identification number) says it all.
Your bank will happily print out statements for you.

Rule Number 1 as given by banks NEVER shares your Username and password with anyone.

It does not look to me like this company is using the open banking interface. According to the Westpac site you cite, in order to allow CDR to occur, Westpac will issue you wish a single use password to share with the third party provider. But this provider is asking for your internet banking login details, and using screen scraping software, not the API.

To my knowledge, if you share your password or PIN with any third party then you have given up your rights with respect to fraudulent transactions. I would not give my password out to anyone for any reason!

Under no circumstances should you hand over your password to ANYONE. The whole idea of a password is that only you know it. Otherwise it’s compromised. You’ll be fleeced in no time otherwise.

For clarity the screen to enter the password on the bankstatements site is not exactly ‘handing over a password’, yet…from what has been posted so far it does not appear to approach good let alone best practices nor seems CDR compliant. The security or lack thereof and reality of what happens to the password once entered is known only to bankstatements staff/IT developers.

Therein lies the concern.

I have contacted BankStatements to clarify their CDR processes on their website. BankStatements has acknowledged receipt of the information request and I hope that BankStatements respond to the inquiry in due course. I will post any response which is received.

The website seems to be owned or operated by illion - their logo is at the top of the page. They are one of the companies that can provide you with your credit rating and I used them for that some years ago. So they seem to be a legitimate company, but asking for bank account login details is ridiculous. At most I’ve provided a paper copy of bank balances with some info blocked out, but enough to confirm it’s my account when getting a mortgage. I don’t see how anyone could justify asking for full access to all your bank accounts just for verification purposes. That’s just insane.

As a postscript illion was previously known as Dun and Bradstreet (Australia). Their suite of ‘services and reporting’ could be considered a conflict of interest in that one arm can dictate or advise to their business customers what another arm should best do.

Need an applicant credit report - come to illion. Need verification of applicant income come to illion, need […] come to illion. From their website. illion’s product and service offering spans the full customer lifecycle, from lead generation and sales prospecting, to credit risk assessment and decisioning (including associated SaaS products), and, ultimately, receivables optimisation. That last one is a nicer term for debt collection, apparently another of their businesses folded into illion.

They are as legitimate a company as could be but have not had the most sterling reputation in countries with stronger oversight than ours. Quality accurate data?

D&B has had many complaints in many countries over the years for (to be kind) faulty records/reports and difficulty in getting incorrect information corrected, often to the significant detriment of the affected business or consumer. One can make up their own minds about why a company as old as D&B decided to change their name (as is increasingly common to whitewash corporate history/reputation).

Illion’s Corporate Affairs have responded to the enquiry lodged with them. It is appreciated they took the time to responded and did so promptly. Following is the relevant section of their response:

The process your member has been asked to use for loan assessment is not part of the Consumer Data Right (CDR) process. Australia is yet to fully transition to CDR - this will take place progressively over time.

What you are referring to is data retrieval technology that has been in operation in the Australian finance sector for many years, and is used successfully by many credit providers to regularly streamline the loan application process. These processes comply with relevant legislation.

As we transition to CDR and Open Banking, we will be publishing updates on our website from time to time.

As Illion indicate that the specific request isn’t a CDR, the first post I made applies unless you discuss the access by Illion (trading as BankStatements) with your bank. If, as Illion has indicated, the access complies with relevant legislation your bank may advise on whether one can use login credentials with Illion. It is assumed that the bank’s advice will be in the interests of their customer, rather than their own. The comment ‘than their own’ interests is made as banks might see the potential loss of a potential customer and give misleading advice to frustrate another providers loan assessment process.

Alternatively as a second option, if you are concerned about using Illion/BankStatements login process to obtain historical banking details, ask your bank if a single use password under the CDR standard will work to meet BankStatements loan application data assessment requirements. If it does, use your bank’s single use password for login credentials when using the BankStatements website. Hopefully this works, and you won’t be in breach of your user agreement with your bank as your usual banking login credentials aren’t potentially shared.

The third option is to provide hard copies of information to the lender. This may require certification that it is a true copy of your financial records.

There is a two way relationship operating here.

Lenders and other companies providing credit will access Illion’s very large database of information about you and your payment history, which in recent years has expanded to include all sorts of things like utility and phone payments.

Some is ‘pushed’ by credit providers, like defaults, or even late payments and applications for credit, as part of the commercial relationship, and some can be ‘pulled’ by means such as Illion’s screen scraping or by the more secure open banking API as specified in the CDR legislation.

Open access to bank account details is the start. It is supposed to roll out to utility and telecoms providers as the next step to allow prospective providers to check your power or post-paid telecoms history for risk.