Commonwealth Bank of Australia is expressly advising their customers not to disclose their username


Recently, Xero announced that CBA had re-affirmed its long held position that disclosing bank account username and password to any account access service was not acceptable and a clear breach of CBA’s terms of service for online banking.

Xero sent an email to their customers at the end of September saying:

"As part of our agreement with CBA, CBA has requested us not to facilitate access to CBA customer data by third party technology providers that require sharing of internet banking credentials. Whilst Xero is confident with encryption security levels to ensure that all user data is kept securely, CBA’s underlying concerns are with the sharing of internet banking credentials."

The problem that CBA is trying to avoid is the storage of customers’ credentials by any third party. When an account aggregation service provider stores CBA’s customer credentials, these login details can be re-used anytime by the service provider to access customers’ bank accounts. We have to differentiate between server-side account access services and client-side aggregation. Server-side aggregators save a customer’s credentials on their servers in order to be able to login and retrieve account information on demand. With a client-side account aggregation service, like eWise, customers’ credentials are stored in a secure, encrypted Personal Data Vault, installed on their own device. In the client-side model, customer logins or passwords are never disclosed to the service provider or any third party, and therefore cannot be misused. The data aggregation service is also performed directly from the customer’s device, ensuring privacy and security of personal financial data.

It has been common practice for server-side aggregators to exploit customers by selling their aggregated financial data, often with dubious “agency” being buried in the terms and conditions for the service. This access and data sale can continue long after a consumer has stopped using the third-party aggregation service, as the provider continued to hold the account access credentials.

Server-side aggregation where users are asked to give a third-party their credentials is prohibited by a majority of financial institution’s terms and conditions worldwide. Further, unauthorised access by a third-party is still very much a breach of legislation aimed at system security, e.g. the Computer Misuse Act in the UK. Centralised storage of sensitive consumer data, including credentials, is the worst possible data security practice – as has been demonstrated by the recent Equifax data breach. Disclosure of credentials to a third party is never an acceptable starting point for building a robust, secure solution – by a financial institution or a fintech start-up.

Xero's and other Fintechs’ business model is under direct threat here. Any company using a server-side aggregation service encouraging customers to trust them with their banking credentials and ignore their banking terms of use, can see their business model at risk when they are forbidden or blocked from access to customers’ data by a bank. This is happening on a daily basis by banks that are increasingly focused on customers’ account security and their own liability.

Client-side aggregation is the only model giving customers full control over their own data and ensuring that no credentials are ever disclosed to any third-party.