How do you determine which third parties you can share banking login credentials with?


#1

Based on the following quote and web-page its clear to me that, from a regulatory standpoint, its ok to share to banking credentials with regulated Account Information Service (AIS) and Payment Information Service (PIS) providers.

Your banking terms and conditions should not prevent you from sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.

[1] https://www.fca.org.uk/consumers/account-information-and-payment-initiation-services

Furthermore, the following web-page lists all the regulated AIS and PIS providers, making it it easy to identify who these providers are
[2] https://register.fca.org.uk/shpo_searchresultspage?preDefined=AIPISP&TOKEN=3wq1nht7eg7tr

However a number of apps/services from established financial institutions such as Yolt (ING Bank) and HSBC Connected Money are not on the list. Furthermore some startups I’m interested in trying are not on this list - such as Chip and Plum.

Link [2] also contains the following text which might or might not cover these apps (this is what I’m not clear on)

Please note that there are other firms that may lawfully provide these services. These are UK and EEA Credit Institutions, EEA Authorised Payment Institutions and Electronic Money Institutions, and EEA Registered Account Information Service Providers. Under transitional arrangements the services may also be provided by firms that were carrying out these activities prior to 13th January 2016 and continued to provide them immediately before 13 January 2018

HSBC’s entry in the FCA register does not mention the term “Credit Institution”, but I don’t really know what a credit institution is and wonder if its a synonym for something else?
https://register.fca.org.uk/ShPo_FirmDetailsPage?id=001b000003ZcFXFAA3

ING Bank’s entry uses the term “EEA Authorised” but not “EEA Authorised Payment Institution”. Does this mean it is or isn’t ok to share login credentials with it?
https://register.fca.org.uk/ShPo_FirmDetailsPage?id=001b000000MfF4VAAV

Chip seems to be an agent of Prepaid Financial Services which is an Authorised Electronic Money Institution. Does this mean its ok to share credentials with Chip?
https://register.fca.org.uk/ShPo_FirmDetailsPage?id=0010X000047TqmEQAS

Any guidance would be much appreciated. Note my interest here is how to identify whether an app/service has sufficient regulatory approval. I think technical judgement on the security underlying each app is also an important issue, but its a different issue.


(Alex Sherwood) #2

If they’re regulated by the FCA (so they’re on their register) then I trust them, if not, I’d be wary.


#3

For me its not really an issue of trust. It’s whether or not a third party they has the right level of regulatory authorization. And it seems to me simply being on the register is not necessarily sufficient from this perspective.


(Alex Sherwood) #4

Ok but the FCA makes sure that financial services organisations don’t do anything that they’re not authorised to so that we don’t have to.


#5

My impression is the FCA is not saying its ok to share your login credentials with every single service on their register. If it was, why would they go to the trouble of highlighting the different categories of providers mentioned in the quotes I’ve highlighted.


(Alex Sherwood) #6

That’s my impression too. But the FCA makes sure that the companies on their register have the permissions they should before asking for your login credentials.


(Andre Borie) #7

You should not be sharing credentials and instead using a standard oAuth flow like with Facebook or Twitter where the third-party redirects you back to your bank’s website for authentication.


#8

Current regulation allows you to share credentials (although I’m not clear on exactly who you are allowed to share with - hence this thread).

Whether its a good idea or not is a different issue (IMO)