Financial aggregator Mint.com goes to great lengths to show the world how seriously it takes security. Its spotless record and its ease of use have pushed it to the top of the North American aggregator market, and Canadians are joining in increasing numbers. However, there is one small problem. By doing so they are violating their bank’s cardholder agreement and exposing themselves to liability.
Mint launched in Canada in late 2010 to overwhelmingly positive reviews. Personal finance journalists (this correspondent included) loved that fact that the web site allowed users to pull their financial data into a central, easy to use dashboard. Not only does it provide a birds-eye-view of your income, spending and investments, but Mint also recommends ways to save money on bank fees, credit card rates and insurance. Best of all, it’s free.
But in order for the service to work, subscribers are required to provide their online banking IDs and passwords — something we’ve all been told repeatedly not to do. To assuage any fears, Mint explains that their parent company Intuit (makers of Quicken, QuickBooks and TurboTax) house their data in an ultra-secure facility and use the same technology as the Canada Revenue Agency uses to transfer personal tax information with NETFILE.
However, a recent report from the Financial Consumer Agency of Canada (a crown corporation with the mandate of protecting and informing consumers of financial services) exposed serious problems in the use of such services. FCAC warned that sharing user IDs and passwords with third-party aggregators puts bank customers in breach of their cardholder agreements, thereby voiding their security guarantee.
FCAC Commissioner Ursula Menke explains that there are currently no known incidents of fraud or suspicious activity due to third-party aggregators in Canada, and that the report is a pre-emptive warning to consumers who may be unaware of the ramifications of sharing their cardholder information.
When contacted by MoneySense, representatives of the Big Five Canadian banks confirmed FCAC’s position. Each institution outlined its respective cardholder agreement, all of which explicitly state that customers who divulge their banking information to anyone are in violation of their account service agreement.
Mint Software Inc. founder & CEO Aaron Patzer insists this is not a problem. Pointing to Mint’s user agreement, he explains that by signing up for an account you are giving Mint limited power of attorney, ceding the company the right to act as your agent when accessing your banking files.
“The limited power of attorney says we are authorized to act as you or as your agent in order to download your personal information from financial institutions, for exclusively your purposes,” explains Patzer. “We are software that is an extension of you.”
So can a third-party claiming power of attorney absolve you of your bank’s security agreement? In a word, no, says Toronto IT lawyer Gil Zvulony.
Quoting the cardholder agreement from his bank, Zvulony cites the essence of the contract between banks and their customers. “You must keep your card and PIN confidential,” he says. “This includes not disclosing your PIN to anyone at any time, including family, friends, financial institutions, employers and law enforcement agencies.”
“It’s in plain English,” he continues. “Don’t share it with anyone, power of attorney or not.”
Zvulony dismisses Patzer’s claim that Mint acts as a legal extension of its subscribers. “It’s not like power of attorney gives someone the same legal identity as you,” he says. “So I don’t think that clause would change the analysis in any way, shape or form. You’d still be in breach of the cardholder agreement and could be liable for any fraud on the account.”
This was confirmed by representatives of the banks, who clearly stated that power of attorney does not change liability.
Cardholder agreements aside, the issue of Mint’s security is one that subscribers must take into consideration as well. Despite the company’s venerable security credentials, accidents do happen and networks get hacked, which is why simplicity is an important aspect in any personal security efforts, explains Ben Kayfetz, President of Toronto IT firm Security Solutions.
“They would have lost me at step one,” he says, referring to Mint’s personal data requirements. “You should never give out your banking information, period.”
So does this mean you should immediately delete your Mint account? If you’re lukewarm to the idea of financial aggregators and unwilling to do a little legwork, then you probably should. Your subscription to Mint (or any other third-party financial aggregator) is jeopardizing your security guarantee with your bank, full stop.
However, if you’re loath to give up the perspective on your finances that Mint provides, there are avenues you can explore before pulling the plug. First of all, Mint does have operating agreements with some Canadian banks (though they would not divulge which ones). All you need do is ask your bank where it stands with Mint and what security guarantees are in place.
RBC customers are given the option to link to qualified third-party sites without breaching any security agreements. It’s possible that other banks will follow this model.
And what if you call your bank and they say no? In that case, you’ll just have to wait until they roll out their own financial aggregator. RBC’s myFinanceTracker and BMO’s MoneyLogic have already been launched, and the other three institutions will likely release similar services soon.
In the meantime, those who decide to terminate their Mint account can start by simply changing the password to their online banking account. To fully de-register you must log in to Mint and follow the prompts. Mint will then purge your account information within 48 hours.
It’s a shame that it has come to this. Mint does a great job on both security and execution, and it has set the bar for future entrants to the market. However, its Achilles heel is that the banks — not Mint — have the final say on what’s safe. So unless you get the green light from your bank to use such a service, or until these companies work out an agreement that makes everyone happy, you are exposing yourself to potential loss.