Commonwealth Bank has been accused of “at worst” abusing its market power after warning customers using fintech wealth products their money is at risk because of security concerns.
The financial technology industry says the alerts are misleading and damage the government’s plans to increase competition in the banking sector through open banking.
Thousands of customers of Raiz Invest who bank with CBA received warnings from the bank last week telling them their NetBank had been accessed. Rais Invest is a savings app with 200,000 users. “We want to make you aware that sharing your log on details may be putting your money at risk as it provides the third party with access to your accounts,” said one alert seen by The Australian Financial Review.
The fintech industry rejected this as CBA scaremongering and using security as a guise to support its own products.
ASX-listed Raiz, which has $350 million in funds under management, asks customers to provide their banking log-in and password because it requires customers’ banking data to provide its service – allowing users to round up spare change and invest it in exchange-traded funds.
Raiz chief executive George Lucas said the CBA message was “at best, misleading, and, at worse, an abuse of market power”.
A CBA spokesperson said the bank regularly sent alerts “to ensure the security and safety of their accounts and their information”.
“Password sharing increases the risk of that data being compromised and misused,” the spokesperson said.
It is understood CBA has sent similar messages to some customers of MoneyBrilliant, which is owned by AMP, and Pocketbook, which is owned by ASX-listed Zip Co, whose customers began receiving the warnings in June.
The main companies providing fintechs with a “screen scraping” service – collecting screen display data from one application and making it available for another application – are Yodlee, an American software giant; Illion, which bought Adelaide-based Proviso’s BankStatements service; and Sydney-based Basiq, in which Westpac and National Australia Bank have an equity stake. None of these companies has had security breaches putting local customer data at risk.
Customers of Raiz, which uses Yodlee, were told to reset their password “to keep your accounts safe” and were told to enter log-in details only “using CommBank services directly”.
It is understood no other major bank has alerted customers about similar concerns. CBA has created its own small-amount ETF investment product, CommSec Pocket.
Raiz’s Mr Lucas said: “The only conclusion we can reach about CBA’s recent customer communications is that it’s deliberately designed to scare them away from other financial services companies, such as Raiz Invest, and as such is a poorly disguised attempt to protect its market share.
“CBA customers and ASIC should be concerned that CBA is constantly monitoring their customer data and interaction with other financial services and products providers and implementing strategies to encourage them to switch from or cancel such services.”
CBA sent similar messages to customers of Raiz – which initially was known as Acorns – in 2016. Raiz, which listed on the Australian Securities Exchange last year, has a market capitalisation of $45 million, compared with CBA’s $145 billion.
Raiz told its CBA customers last week the claim its service was putting funds at risk was not true. “We protect the data you share with us, whether on our website or our app, with 256-bit encryption. That’s the same level of encryption used by all the top Australian financial institutions,” it said.
Industry sources said CBA could protect its customers while allowing fintechs to operate by identifying legitimate companies seeking to access customer accounts via their IP addresses and filter out malicious hits by criminals seeking to steal funds.
CBA’s warnings contradicted public statements by chief executive Matt Comyn that the bank would work more collaboratively with start-ups, industry insiders said.
Open banking concerns
Open banking will offer an alternative to screen scraping by allowing customers to send their data to third parties via a scheme regulated by the Australian Competition and Consumer Commission. However, screen scraping will continue to be available as an option to access customer data.
FinTech Australia said CBA’s conduct was concerning ahead of open banking, scheduled to begin in February, because the success of the regime required trust to be built up between incumbents, fintechs and customers.
“With open banking’s launch just months away, this example sets the wrong tone and undermines the overall objective of using new technologies to benefit the consumer,” said Rebecca Schot-Guppy, general manager of FinTech Australia.
“Much like every major technology company, banks have to balance security with accessibility. Security is paramount, but to limit opportunity in spite of it isn’t the way forward,” she said.
Zip’s chief strategy officer Tommy Mermelshtayn said “if banks today discourage customers from using fintech services that access bank data, customers will not adopt open banking when it finally arrives, and many of the fintechs that would enable competition will move to other markets”.
“In the lead-up to open banking, incumbents that have the most to lose are feeling emboldened to discourage customers from using fintech services that access banking data via other means,” he said.
“This places at risk important services that many consumers are using on a daily basis, such as personal financial management tools.”
The CBA spokesperson said the bank was “very supportive of the open banking plan to provide access to data in a secure and practical manner which does not compromise customers’ information by sharing passwords”.
“Cybersecurity is a major issue and, unfortunately, the increase in online fraud underlines the need for everyone to take great care of their data and account security.”
Whether customers can share credentials is a legal grey area, given the wording of the e-payments code, which is administered by the Australian Securities and Investments Commission. The code is being reviewed and the fintech industry hopes a revised version will allow password-sharing with legitimate fintechs.
Sharing BSB and account numbers via email or SMS creates security risks because those numbers can be used to extract funds from an account if a fraudulent direct debit authorisation is created.
Business Insider Emails & Alerts
Site highlights each day to your inbox.