The fintech described Commonwealth Bank’s (CBA) warning as a scare tactic designed to alert Raiz’s (formerly known as Acorns Australia) 200,000+ customers into no longer using the app and drive fintechs out of business.
“Last week, Commonwealth Bank appeared to abuse its market power by threatening fintech customers, including Raiz Invest users, by scaremonger tactics over cyber security isues,” Raiz said in a statement.
It is alleged CBA warned customers through emails and push notifications that linking bank login details to services such as Raiz Invest puts their money at risk. According to Raiz, CBA was the only one of the big four banks to do this.
In an email to Raiz customers last week, Raiz Invest CEO George Lucas said it is, at worst, an attempt by CBA to reduce competition, with the big four bank having a rival micro-investment app of its own, CommSec Pocket.
“The only conclusion we can reach about CBA’s recent customer communications is that it’s deliberately designed to scare them away from other financial services companies, such as Raiz Invest, and as such is a poorly disguised attempt to protect its market share,” Mr Lucas said in a statement today.
“CBA customers and ASIC should be concerned that CBA is constantly monitoring their customer data and interacting with other financial services and products providers and implementing strategies to encourage then to switch from or cancel such services.”
In response to Raiz’s statement, a CBA spokesperson told Savings.com.au the bank regularly sends out alerts to over seven million digitally active customers to ensure the security and safety of their accounts and information.
“Password sharing increases the risk of that data being compromised and misused,” the spokesperson said.
“Cyber security is a major issue and unfortunately the increase in online fraud underlines the need for everyone to take great care of their data and account security.”
‘Less risky than sharing BSB and account numbers’
In last week’s email to Raiz customers, Mr Lucas said there is no greater risk of fraud occurring through Raiz than there is though CBA itself.
He also said sharing online login details with Raiz posed less risk than sharing BSB and account numbers with friends or utility companies for direct debits.
“CBA does not use multifactor authentication when money is electronically transferred using BSB and Account number,” Mr Lucas said.
“It may also surprise you that it does not even check that the BSB and Account number match the account name, when it electronically transfers this way.”
Mr Lucas told Raiz customers they should feel confident that their information is safe and secure when linking their CBA account with Raiz.
“We protect the data you share with us, whether on our website or our app, with 256-bit encryption. That’s the same level of encryption used by all the top Australian financial institutions,” he said.
“As proof, recently when announcing Open Banking the Australian Treasury has made it clear that the method Raiz uses to collect data is acceptable and can continue in competition to Open Banking.”
Raiz today said that CBA failed to tell its customers this.
A CBA spokesperson said the bank is very supportive of the Open Banking plan to provide access to data in a secure and practical manner which does not compromise customers’ information by sharing passwords.
“We believe Open Banking will boost competition and provide greater choice for customers and will be achieved through a well-regulated and secure framework being developed for 2020,” the CBA spokesperson said.
A 2017 review into Open Banking by Australian Treasury noted that that potentially millions of Australian bank customers have given their account login and password details to data recipients (such as Raiz) that then use screenscraping technology to ‘scrape’ data (such as account balances and transactions) from customers’ internet banking interfaces and use it to provide personal financial management services.
Raiz currently does this to provide its customers with budgeting tools and insights into their own spending habits.
Australian Treasury’s report said screenscraping is risky because it may compromise a customer’s protection from fraud.
“Handing over login credentials to enable screenscraping may be a violation of the bank’s terms and conditions, meaning the customer may be liable if their credentials were to be compromised,” the report said.
However, the review pointed out that banning screenscraping “would remove an important market-based check on the design of Open Banking”.
“Open Banking should not prohibit or endorse screenscraping, but should aim to make it redundant by facilitating a more efficient data transfer mechanism,” the Australian Treasury report said
CommBank not the only bank to discourage login sharing
Many banks in Australia are generally not in favour of customers sharing their bank login details with third-party software.
Earlier this year, a Reddit user contacted numerous banks in Australia to ask about their level of support for popular budgeting app Pocketbook, which also requires users to share their bank login details.
While some banks such as Bank of Queensland were generally supportive, many banks were firmly against sharing such details with the app, including each of the big four.