LOS ANGELES (Reuters) - Millions of people share their bank account passwords with third-party sites and apps that help them track their spending, but some of the biggest financial institutions, wary of hacking risks, are trying to scare people into not using them.
JPMorgan Chase & Co and Capital One Financial Corp, for example, warn on their websites that customers could be liable for any fraud in their accounts - even though federal regulations say otherwise.
Capital One's site (here) tells users: "If you choose to share account access information with a third-party, Capital One is not liable for any resulting damages or losses."
Chase (here) admonishes, "If you give out your chase.com user ID and password, you are putting your money at risk."
The warnings were enough to cause Morris Armstrong, a registered investment adviser and enrolled agent in Danbury, Connecticut, to recently close his account with Mint.com, a so-called aggregator website and a division of Intuit Inc.
“People are hacking left and right. You don’t want to make it easier,” Armstrong said.
However, the same warnings infuriated heavy Mint user Mark Ranta, head of digital payments at ACI Worldwide Inc, who says the banks are far more worried about competition from these aggregation sites than about electronic safety.
“Mint makes it so I don’t have to go to the individual bank sites,” said Ranta. “They [banks] don’t have the opportunity to cross-sell me.”
The banks’ warnings, however, are off base.
Federal banking rules known as Regulation E (here) sharply limit customers' liability for unauthorized electronic transactions from their accounts, provided they report the fraud promptly.
The rules say that customers’ negligence - such as writing a PIN on a debit card - does not increase their liability.
A customer would be on the hook for unauthorized transactions if she gives her card or credentials “and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given,” the rules say. Customers are fully liable for the transfers until they notify the financial institution that the person is no longer authorized to use the account.
That is the passage that Chase and other banks point to when warning people they may be liable if they share credentials with a third party.
But Lauren Saunders, associate director and managing attorney of the National Consumer Law Center, calls the banks’ position “ridiculous.” Sites such as Mint collect data about transactions but typically are not authorized to make transactions, said Saunders.
“When you give Mint your bank password, you don’t give them permission to make transfers,” Saunders said. “You don’t need to be a lawyer to understand that you are not a consumer who ‘grants authority to make transfers.’”
Even when people use a bill-pay app that does move money, they are granting access to the app - not to hackers who steal their credentials.
“You are still outside the provision about giving someone an access device because you didn’t give the hacker permission,” Saunders said.
Who would be liable, though, is an unsettled question of great concern to banks. The Wall Street Journal reported last week that JPMorgan Chief Executive Jamie Dimon discussed with Consumer Financial Protection Bureau chief Richard Cordray the security risks posed by aggregators.
Chase and the CFPB declined comment. Intuit declined comment on the banks’ warnings, saying in a prepared statement: “Delivering secure and seamless connectivity is a shared priority across Mint and thousands of our financial institution partners.”
It is worth pointing out that Mint has never had to announce a security breach - unlike Chase, which last year reported a cyber attack had compromised 83 million of its accounts.
Making people reluctant to use account aggregators could just make them more vulnerable to fraud. Mint and other account aggregators can help people spot unauthorized transactions that might otherwise go unnoticed, said independent journalist and technology expert Bob Sullivan, author of “Stop Getting Ripped Off.”
Rather than scaring people, the financial sites and banks should work together to create a common secure standard for sharing information - one that might involve app-specific passwords, Sullivan said.
(Corrects paragraph 7 to “payments at” instead of “payments company”)
Editing by Beth Pinsker and Steve Orlofsky
Our Standards: The Thomson Reuters Trust Principles.