The banking industry can – and must – do better as it relates to securely enabling limited access to third-parties on behalf of their customers. Account aggregators like Yodlee and Intuit – and the myriad of other products built on top of Yodlee and Intuit aggregation services – rely on customers sharing their account credentials for the service to work. Banks know this and in many cases are active participants in enabling the services provided by account aggregators. And yet, this very fact contradicts many bank’s security recommendations and, in some cases, their own terms and conditions. For example, one of the top 5 U.S. banks has the following their terms and conditions for online banking:
You agree to … keep your passcode secure and strictly confidential, providing it only to authorized signers on your account…
Another top 5 bank’s terms and conditions state:
You agree that … in circumstances where locations of the Website require identification for process, you will establish commercially reasonable security procedures and controls to limit access to your password or other identifying information to authorized individuals.
How many of Mint’s more than 10 million customers are breaking these terms and conditions? Is it really reasonable for banks to expect that customers are abiding by these terms when they themselves enable customers to so easily violate them? How would an average consumer banking customer even know how to “establish commercially reasonable security procedures and controls”?Read on →