and you

Cardholder agreements are written plainly for a reason. Ignore them at your peril.



Online only.



Financial aggregator goes to great lengths to show the world how seriously it takes security. Its spotless record and its ease of use have pushed it to the top of the North American aggregator market, and Canadians are joining in increasing numbers. However, there is one small problem. By doing so they are violating their bank’s cardholder agreement and exposing themselves to liability.

Mint launched in Canada in late 2010 to overwhelmingly positive reviews. Personal finance journalists (this correspondent included) loved that fact that the web site allowed users to pull their financial data into a central, easy to use dashboard. Not only does it provide a birds-eye-view of your income, spending and investments, but Mint also recommends ways to save money on bank fees, credit card rates and insurance. Best of all, it’s free.

But in order for the service to work, subscribers are required to provide their online banking IDs and passwords — something we’ve all been told repeatedly not to do. To assuage any fears, Mint explains that their parent company Intuit (makers of Quicken, QuickBooks and TurboTax) house their data in an ultra-secure facility and use the same technology as the Canada Revenue Agency uses to transfer personal tax information with NETFILE.

However, a recent report from the Financial Consumer Agency of Canada (a crown corporation with the mandate of protecting and informing consumers of financial services) exposed serious problems in the use of such services. FCAC warned that sharing user IDs and passwords with third-party aggregators puts bank customers in breach of their cardholder agreements, thereby voiding their security guarantee.

FCAC Commissioner Ursula Menke explains that there are currently no known incidents of fraud or suspicious activity due to third-party aggregators in Canada, and that the report is a pre-emptive warning to consumers who may be unaware of the ramifications of sharing their cardholder information.

When contacted by MoneySense, representatives of the Big Five Canadian banks confirmed FCAC’s position. Each institution outlined its respective cardholder agreement, all of which explicitly state that customers who divulge their banking information to anyone are in violation of their account service agreement.

Mint Software Inc. founder & CEO Aaron Patzer insists this is not a problem. Pointing to Mint’s user agreement, he explains that by signing up for an account you are giving Mint limited power of attorney, ceding the company the right to act as your agent when accessing your banking files.

“The limited power of attorney says we are authorized to act as you or as your agent in order to download your personal information from financial institutions, for exclusively your purposes,” explains Patzer. “We are software that is an extension of you.”

So can a third-party claiming power of attorney absolve you of your bank’s security agreement? In a word, no, says Toronto IT lawyer Gil Zvulony.

Quoting the cardholder agreement from his bank, Zvulony cites the essence of the contract between banks and their customers. “You must keep your card and PIN confidential,” he says. “This includes not disclosing your PIN to anyone at any time, including family, friends, financial institutions, employers and law enforcement agencies.”

“It’s in plain English,” he continues. “Don’t share it with anyone, power of attorney or not.”

Zvulony dismisses Patzer’s claim that Mint acts as a legal extension of its subscribers. “It’s not like power of attorney gives someone the same legal identity as you,” he says. “So I don’t think that clause would change the analysis in any way, shape or form. You’d still be in breach of the cardholder agreement and could be liable for any fraud on the account.”

This was confirmed by representatives of the banks, who clearly stated that power of attorney does not change liability.

Cardholder agreements aside, the issue of Mint’s security is one that subscribers must take into consideration as well. Despite the company’s venerable security credentials, accidents do happen and networks get hacked, which is why simplicity is an important aspect in any personal security efforts, explains Ben Kayfetz, President of Toronto IT firm Security Solutions.

“They would have lost me at step one,” he says, referring to Mint’s personal data requirements. “You should never give out your banking information, period.”

So does this mean you should immediately delete your Mint account? If you’re lukewarm to the idea of financial aggregators and unwilling to do a little legwork, then you probably should. Your subscription to Mint (or any other third-party financial aggregator) is jeopardizing your security guarantee with your bank, full stop.

However, if you’re loath to give up the perspective on your finances that Mint provides, there are avenues you can explore before pulling the plug. First of all, Mint does have operating agreements with some Canadian banks (though they would not divulge which ones). All you need do is ask your bank where it stands with Mint and what security guarantees are in place.

RBC customers are given the option to link to qualified third-party sites without breaching any security agreements. It’s possible that other banks will follow this model.

And what if you call your bank and they say no? In that case, you’ll just have to wait until they roll out their own financial aggregator. RBC’s myFinanceTracker and BMO’s MoneyLogic have already been launched, and the other three institutions will likely release similar services soon.

In the meantime, those who decide to terminate their Mint account can start by simply changing the password to their online banking account. To fully de-register you must log in to Mint and follow the prompts. Mint will then purge your account information within 48 hours.

It’s a shame that it has come to this. Mint does a great job on both security and execution, and it has set the bar for future entrants to the market. However, its Achilles heel is that the banks — not Mint — have the final say on what’s safe. So unless you get the green light from your bank to use such a service, or until these companies work out an agreement that makes everyone happy, you are exposing yourself to potential loss.

12 comments on “ and you

  1. With reference to RBC allowing the option to use an approved 3rd party… I called RBC to ask about my protection and my use of Mint. I was told that providing my password to Mint did indeed invalidate my protection. Does anyone know where the statement that approved parties are permitted can be found? Apparently RBC isn’t very clear on this yet.


  2. So that means if firefox saves my password, that's a violation of the bank's agreement as well? I'M giving it away and storing it in another location other than my brain. Storing it on Firefox's database,'s database, or anywhere else for that matter should void your agreement. But on the flip side, nobody has said how the banks can find out if you use anyways.


  3. Pingback: Toronto IT Lawyer and sharing your password with

  4. I admit that I have not checked out or the service it provides. That said, I do not understand why a software download, even one that assists you with financial decisions, should require bank login information. A username and password should suffice, as is the case with any other product.
    Information accessed by the site can and should be manually entered or pulled off personally owned software such as Quicken or Excel. Call me old fashioned but every computer program is subject to potential misinterpretation of data. People should be vigilent or at least aware of the information being entered and utilized.


  5. If Mint were 'Canadian' or owned by one of the big five banks, this would be a none-issue. Have the same regulator's 'safeguarded' consumers against higher bank fees and the cornucopia of fees these banks charge for mundane banking functions?

    Aggregator's provide useful information to consumers and cuts into the 'financial advice' the bank's financial adviser's can provide – most of us using an agregator can figure out what best to do about our finances and not rely on the 19 yrs old 'advisor' at the big banks! …maybe the technology needs to change, but to me this is more an attempt by the Canadian banks to fend off competition so they can launch a user-unfriendly inefficient product.

    Once again, sad day for consumers in the name of regulation for consumer safety.

    The financial aggregator's the Canadian bank's roll out at fully compliant is it? And we as 'progressive minded' Canadian's who are 'better' than the American's keep buying this hog wosh!


  6. Great article. I currently use Mint but I definitely want to have a closer look at those points. Thanks for shedding some light on them!


  7. Gotta say, the issue of handing out my personal account passwords is why I didn't complete the sign-up process with

    I don't understand why it needs to save the password. Why not set it up like other products made by Intuit, where it simply takes you to your bank's webpage, where you log in, and you download a file which automatically updates your records. It's really not hard. For people who don't understand, they could make walk-throughs. Heck, you could at least give people the option! Seems like a simple enough solution.


  8. Pingback: Joomla Hosting

  9. Great article. I created an account but had not added my bank or cc to it. I think I will wait until these issues are cleared and resolved. It looks like a great product though. Problem is that these companies like Intuit are "profit driven".


Leave a comment

Your email address will not be published. Required fields are marked *