Loan application asking/requiring you to give internet banking login/passwords to third parties - experiences?

Oh! That feeling of being a trust worthy customer?

Is there any benefit to society in doing so?
Will those living day to day receive greater consideration and a more honest deal?
Will those not spending to the maximum of their borrowing capacity be prime targets for increased marketing? Marketing that uses access to determine likely current needs, special interests and weaknesses (aka opportunities) deduced from the accumulated data.

Sometimes “complies with relevant legislation” is true because there is no relevant legislation to comply with. :wink:

Is there legislation to say one cannot share a login and password for your banking with another person or business?

Is there any point (noted the observation commences with a big “if”) in speculating the Fox in the back yard is not there to take the chickens. Or for city dwellers the possum on the back fence to eat your camellias.

It’s worth considering when one permits a financial or other business to obtain your personal data under the CDR, there are protections concerning the intended purpose and how it can be used. Illion as stated is working outside of the latest legislation. Surprising but not so considering priors for such a significant finance based business when others are already onboard.

That is their take on their systems and their business. Will the banks (et al) have the same response so a consumer can be comfortable everyone is telling them the same thing?

Not suggesting illion is misleading but the courts are littered with cases of misrepresentation in various ways, as are some ACCC cases.

It was not more than a decade or two ago bank’s graciously offered their customers pass through logins so if one logged into MyBIg4Bank they could simply click to see their accounts on MyOtherBig4Bank and MySmallerBank. Was the data syphoned during the passthrough? Who knows for sure except the techies and mangers at MyBig4Bank. Any security issues? Left to the imagination.

It has been many years since I have seen such a gracious offer (or implementation) to make my life simpler. There seems to be some passing similarity between that ‘feature’ offered in days gone and using Bankstatements.

1 Like

As I mentioned, I discussed the access with all of my banks and they all expressly forbade providing my internet banking credentials to any third party.

As far as I can tell, there is no specific law against logging into a person’s internet banking using their credentials with their permission as long as you don’t steal their money.

There are of course laws against misleading/deceptive conduct and I note that the terms they use are very carefully crafted to avoid saying exactly what they are doing without actually being lies. I’m not party to what Illion have told their customers (the lenders) but based on what the lenders told me it sure seems like they have been misled by Illion about what they are actually doing.

2 Likes

I am attempting to close my jaw after it hit the floor upon reading your experience with??
It is a mantra from financial institutions that under no circumstances, are you to provide the information you have been asked for.

As an ex banker/lender it is a requirement to look through the transactions listed on the bank statements related to the clients loan application. We are looking for a number of things in this process. However, there is absolutely NO need for the provision of password access or anything else that is intended to keep your accounts safe and protected from potential theft/fraudulent activity.

I cannot find any legitimate reason/purpose for this request to be made and if it is a requirement of your loan being approved, then I would be giving my business to another lender.

6 Likes

Hard Pass from me. I would never, ever give my banking details to anyone.

Interestingly enough I recently did some survey for part of Dept of Treasury that had a mockup of an app that did the one-time password to your bank to get info for a quick decision on a loan (it would have access for 24 hours or so). The app design seemed quite good, but my feedback was as my first sentence.

No. Never going to use it, do not trust any third party with those details even if it for a one off transaction. Too risky.

1 Like

Welcome @Lynnee to the Community.

Now as someone who has been in the business of loan approval, and needed to check applicant details, how was that done?

Copies of statements provided? Or inhouse applications? Or oursource to third-party organizations like Illium who do provide a total service of credit history as well as current transaction details as the CDR requires banks to provide on request to approved requestors.

How interesting … I also did that survey & my response was, like yours, a definitive ‘no’.
I must say, I am rapidly beginning to find all these “security issues” quite stressful and am of the opinion that if this will become the norm it’s time for me to check out. Any suggestions where I may find a hippie-style commune without internet access that needs a lively but ancient crone?

I’m don’t know but if you find one and give out the details here there could be a rush of applications.

1 Like

Alternately start your own. Optionally consider the opportunity to invite like minded members of the Choice Community. :+1:

1 Like

:relaxed:Hmmm … let me think about that

1 Like

Responsive Lending are asking the same thing. To enter your bank login details as they say is the most secure way of them receiving bank statements. I stopped the application at that point and did not go any further. They do not give you the option of uploading a pdf of a statement. A print screen of the webpage in question is attached.
PJ

5 Likes

Hi @goldspider

Welcome to the Community.

Yeah to provide that detail breaches the agreement you have with your Bank regarding not sharing your password with anyone. Who knows who may gain access to such sensitive information and I think this sort of thing should be reported to the Privacy Commissioner as it seems most likely to breach your Consumer Data Rights What is the Consumer Data Right? | OAIC.

A flow chart that explains the process of sharing CDR protected data. It is seen that the party who wants the access must contact the data holder e.g. a Bank, who then needs to contact the consumer to verify that the access is to be granted. No sharing of passwords is necessary nor is it allowed. There are several steps to the process and the lender you referred to are not meeting any of the requirements.

3 Likes

I would politely tell Responsive Lending where to go and tell them that passwords should never be revealed.

If they cannot handle that, move on to another lender.

2 Likes

From the Responsive web site. It appears ‘Proviso’ has sold their own product and provides a service to Responsive.

Responsive Lending has partnered with Proviso to provide a fast and secure method for submitting bank statements. If you have recently applied for a loan through us, you should have received an email containing a personalised link to submit your bank statements.

Are there any alternative options?

Certainly! If you’re not comfortable using our online system, you can send your bank statements as a PDF attachment to your loan officer.

Proviso (illiion Australia P/L) makes this statement, possibly questionable from initial appearances. The devil is in the detail of what happens behind the screen shot that was posted. Superficially not a good look but their statement is illion is an Accredited Data Recipient within the Consumer Data Right regime

3 Likes

The sign up to become an accredited CDR participant is

and as they claim Illion is listed. What is not clear is what mandates are placed onto companies such as Responsive Lending that use CDR participants. A scan of the accredited recipients include a few financial services companies but unless they are individually accredited there seems to be a possible gap, and Responsive Lending is not listed.

3 Likes

Regardless of their status, the request on their web page is contrary to the CDR requirements and reflects nothing of what is portrayed in the flow diagram above. Additionally the request for the user account password is again in opposition to what a Bank or other financial institution requires of account holders to protect their account.

Nothing is redeeming of that page and it’s demand for a consumer to complete those very sensitive details. It doesn’t matter who they use in the background to complete the financial checks. At the outset the request while not illegal for a consumer to complete, breaks the contract a financial institution holds with an account holder and renders any consumer protection from that contract null and void. If a person is not savvy to these breach of conditions, the way the web page request is provided would leave that person assured that the business is trustworthy and compliant with making such a request. It could even possibly be described as a deceptive practice. One for the ACCC and the OAIC to weigh in on and make decisions about the practice, the owner of the site, and any non compliance with CDR requirements.

Perhaps the beginning of a super complaint is in the making if CHOICE could determine the extent of the issue and found it to be pervasive. So far two businesses seem to be possible infringers/participants in this practice.

3 Likes

Agreed. I have experienced a number of CDR authorisations and all began with [what appeared to be] a direct pass-through to the information holder’s web system, complete with their logo, look and feel. I do remember a time when many institutions were more than keen to assist customers track ‘other accounts’ if they would only be willing to provide their login credentials. That is a time long passed for good reason.

As with many of our ‘protections’ this might be another one poorly drafted and even worse executed, awaiting a complaint prior to further thoughts or action.

2 Likes

I spoke to Choice, the privacy commissioner, and the AFCA about this issue and nothing happened.

3 Likes

OAIC and the ACCC are the responsible parties for Consumer Data Rights (CDR). AFCA do not have a responsibility for CDR issues. CHOICE may be doing something, it is not always a clear immediate response, more evidence may need to be collected before they can make a super complaint (from my previous post “if CHOICE could determine the extent of the issue and found it to be pervasive”). Beyond a complaint they can only provide advice on how consumers can protect themselves, which they are always doing across many areas of their interest. OAIC may also be investigating, again this is not always an immediate public response to the problem. I am not excusing any of them from doing something, but I do know that often to take action there must be a great deal of evidence collected first.

@BrendanMays may be able to respond about what CHOICE has done or is doing, sometimes because of the sensitivity of some information this may just be a broad statement that doesn’t offer a great deal of specific content.

4 Likes