Consumers routinely share their online banking passwords with third-party apps that help with everything from budgeting to tax preparation. Apparently banks would like this to stop. JPMorgan Chase posted this notice on its website in April:
“If you give out your chase.com User ID and Password, you are putting your money at risk,” says a page titled Guard Your ID and Password. “Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you’re giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.”
That’s no small threat. In other words, if one of those third parties gets hacked and a criminal takes your money, you could lose it all.
The page goes on to advise consumers who’ve already shared their passwords to immediately change them — and of course, not give the new login information to the third party.
The warning is broad, but popular sites like Mint.com, which perform item-by-item analysis of consumers’ accounts, stand to lose the most if consumers heed the warning. So I asked Mint what it thought about Chase’s post.
Holly Perez, a Mint spokeswoman, said the warning was not really new. Several banks have language in their user agreements telling consumers not to share login information with third parties. She’s right. Here is language from Capital One’s agreement:
“Sharing your Capital One access credentials (with third parties) may represent a breach by you of applicable [agreement or terms and conditions),” it reads. “One of the reasons that Capital One prohibits this type of sharing is that we may not have any information regarding the use of or security environment around this sensitive information at any third party. If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses.”
Chase’s new posting is probably the result of the recent increase in high-profile hacks, Perez speculated.
Trish Wexler, a senior vice president at Chase, agreed, and pointed out that similar language was present in the Chase user agreement long before the April post: “If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure.”
Wexler said the post was not aimed at any particular third-party service, and she did not know of any incident which led to the post. It was published out of a desire to put that provision of the user agreement into plain language. She also said the post should not be interpreted as Chase telling consumers not to use any specific service, such as Mint.
“Our job is to make sure consumers can make their own choices based on all the available information,” she said. “Clearly customers want to be able to use services like this. They need to understand there are risks associated with giving out their user name and password, be it to a third-party service or a neighbor.”
What the Law Has to Say
Those risks aren’t completely clear, however. Federal banking regulations concerning unauthorized electronic funds transfers are very consumer-friendly. Consumer liability for losses is capped at $50 or $500, depending on how quickly a consumer reports fraud once it is discovered. Even negligence doesn’t increase the consumer’s liability, banking regulators have said. For example, even writing a PIN code on a debit card doesn’t increase the consumers’ liability if the card is stolen and used to make withdrawals.
“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible,” the rules say. “Thus, consumer behavior that may constitute negligence under state law…does not affect the consumer’s liability for unauthorized transfers.”
The rules go on to say that banks cannot impose additional liability on consumers.
“The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.”
Chi Chi Wu, a banking regulation expert with the National Consumer Law Center, said consumers victimized by theft of credentials from a third-party site would enjoy the same protections as a consumer who divulged their passwords to a hacker.
“The same principles apply,” she said.
Of course writing a PIN code — or falling for a phishing email — is not a direct parallel to intentionally sharing login credentials with a third-party site. Until there is a high-profile test case, it’s hard to say what might happen. For any consumer hit by such a crime, there’s certain to be a big hassle, even if a bank ultimately refunds their money – out of a legal obligation, or free will.
The bottom line for consumers: You don’t want to be that test case. Be extremely judicious when handing out your banking credentials. If you do, be vigilant about what happens inside your bank account. Roughly speaking, you only have two days from the time a fraud appears on your regular statement to report it and be protected by the $50 liability limit. Otherwise, the limit is $500. And if you wait 60 days, the limit is … unlimited. So your real worry should be spotting and reporting fraud promptly.