An article appeared this morning in Canada’s Globe and Mail newspaper, echoing conversations that have already been taking place in the U.S. The plain English version of the issue goes something like this:
- if someone uses your credit card fraudulently, or if your bank account is accessed illegally, most financial institutions will absorb the loss and free you of responsibility
- in the fine print of some bank and credit card user agreements is a condition: if you share your password info with anyone, that protection goes away
The question now arises: How does this impact our customers here at Wave? Given that many Wave customers connect their bank and credit card accounts with Wave, and that this process involves a secure login process using your bank password, what does this statement mean to them?
First, it’s worth reiterating a point made in the Globe article: “Ursula Menke, Commissioner of the Financial Consumer Agency of Canada, said she has not received any complaints of fraud or abuse stemming from financial aggregation services.” So the commissioner is — quite appropriately — being proactive in avoiding problems in the future, but it’s not the case that consumers have actually been stung by this sort of issue.
At Wave, we take every precaution we can to ensure that your data and login credentials are ultra-secure.
- The connection Wave makes with your bank is read-only, meaning that even if someone broke into your Wave account, they wouldn’t be able to move your money.
- Wave doesn’t store your bank login on our servers. Instead we use a specialist data partner, whose other customers include some of the world's largest banks (such as Bank of America, Citibank, Wachovia and Royal Bank of Canada), to handle the bank login process. That means that if someone hacked into Wave’s servers (unlikely), they still wouldn’t be able to steal your bank login info.
- We use bank-quality encryption technologies, and other technological and physical safeguards, to keep your info and your money protected; and we hire third parties to test the adequacy of those safeguards.
Now, banks themselves use the same data partners we do. In fact, some of the data aggregation companies out there were founded in partnership with banks themselves. So, given all these facts, is this enough reassurance to satisfy your bank? Maybe, and maybe not. As the commissioner notes, there haven’t been any problem cases to look at yet. This is all theoretical. So if you use a “data aggregation” service like Wave, or like Mint which is mentioned in the Globe article, and then run into a problem with your credit card, we can’t say for sure how your financial institution will react. Assuming the data aggregator wasn’t responsible for the fraud, will the bank take the high road and continue its protection of its customers? Or will they take advantage of a fine-print loophole and cut off that protection? That’s still the blind spot in this conversation.
If anything in that conversation spooks you, the great news is that you can still use Wave, without connecting to your bank accounts. At worst, your process just changes a little bit. Unlike some other services that can’t function without a bank connection, you can still use Wave to save time and fight accounting headaches. Specifically, you can upload an electronic statement from your bank or credit card as often as you want — weekly, monthly, whatever. Doing this, you eliminate all the manual entry work of your bookkeeping and accounting, without sharing any password information, and without stepping on your bank’s fine print.
Your financial and data security and privacy are important to us, so please contact us if you ever have concerns. You can reach me directly at email@example.com. We’ll update the blog as this situation develops further.