phone data harvesting

We’ve all laughed at the person who keeps their password stuck to their monitor at work, or the millions of people out there who still literally use the word “password“. But how far does our care for security extend when it becomes entangled with the world of convenience?

Fintech apps — like budgeting apps Pocketbook, MoneyBrilliant and Spendee, and micro-investing app Raiz (previously Acorns) — are increasingly popular, especially with people under 35. They allow an ease of control over one’s finances that previously may have felt elusive or unattainable. They are easy to use, they offer real-time information about your cash and are more often free or reasonably priced.

But the question remains: is all that worth handing over your online banking password?

Please enter your username and password

Though each of these apps differ slightly in function, they all rely on the same basic principle of “scraping” — a form of read-only access to banks and other financial accounts to create an accurate and up-to-date picture of your income, spending, savings and tax. However, in order for this process to occur, the apps require full access to your online banking accounts, including your username and password.

Since they first became available for Australian customers, there has been a friction between fintech start-ups and banks over this issue, and who has the right to share their account details with third parties.

Even years later, this remains a legal grey area. The four big banks all include conditions in their standard terms and conditions which are hostile to the sharing of passwords, PINs and any other identifying details required for online log-in purposes. Commonwealth Bank explicitly states users should “not disclose them to any third party including family, friends and institutions”. All then go on to also state that in such an instance, liability may fall onto the user for any unauthorised transactions.

Of course, the apps are quick to promote their security measures. These apps exist in the same legal framework as existing financial institutions, such as banks and investment schemes, and don’t collect any more information than your bank already does about your purchases. However, not a great deal is known about how this information may be used, and how that use might differ from banks and existing funds.

In March 2016, the federal government published a report on the state of fintech and banking in the country, after a campaign from industry group FinTech Australia pushed for open financial data standards and associated application program interface (API), among other issues. This call was rebuffed by banks, primarily on the grounds of data security.

This excuse was challenged by the fintech sector at the time, who argued that it was merely a contrivance on the part of the banks. In the cases of Raiz and MoneyBrilliant, this claim was a more complex one, as both platforms use Yodlee for their banking-grade digital security — the very same service used by ANZ.

This is the stalemate that still exists. Start-ups and existing banks are at odds over who has the right to access not just your money but also your metadata.

Risk v reward

The landscape is now beginning to change. These fintech companies rely on service fees and paid plans for their income, whereas banks already profit off of the money kept with them. And now the banks are getting in on the action.

Commonwealth has recently launched its own micro-investing platform, CommSec Pocket. The app has much of the same functionality as Raiz, but is connected directly to CBA’s online banking portal, and as such has the bank’s own explicit endorsement to share information and conduct transactions. Other Australian banks are sure to follow suit to capture their own market share.

When considering the choice of whether or not to use these services, or to distrust them entirely, there is clearly a balance somewhere between paranoia and indifference — the solution being neither total abandon or buying and burying gold bullion.

One solution is to forgo the immediate convenience, download your transaction statements and upload them to your app of choice; forgoing the need to provide log-in credentials altogether while still allowing the regular tracking of expenses and income. Every additional service that has access to your online banking details (as with any account login) adds another point of potential failure, but wagered against the simplicity of such a service you may still judge it a fair risk v reward.

Until the landscape itself changes — opening up banking API, or allowing specific access to third-party applications with login credentials independent of your personal password — there’s a lot of reasons that fintech apps are attractive. But until we know more, my banking passwords remain for me and me alone.