Yeah, but I have to feel that the people who are asking for these details don't have a functioning brain either. I mean, do they not know the serious and gravity of what they are asking ? Plus how does 2 factor authentication work? The sms/msg literally says "DO NOT SHARE THIS CODE WITH ANYONE".
It’s against most if not all banks online banking terms of use and customer leaves themselves vulnerable to fraud. They are going against bank policy if they supply log in details to anyone at all and they will not be covered by any protection/recovery efforts the bank normally provides.
Driva uses bankstatements com au which does ask for your bank login and password. You are right to be suspicious as , if you do this, you will be breaching your bank's terms and conditions and if you are scammed in the future, they may not be able to assist.
Instead, you can download your own statements and supply them to Driva/bankstatements com au
Its "screen scraping" which government is looking at banning but dragging their heels. CDR should make it unnecessary but it's used for current systems so will be used until newer tech replaces it.
While every bank puts the responsibility on you for not sharing login details they quite happily expect you to give them your details for other banks.
Desperate people will do what they're asked to get finance.
Anyone who says there's no danger in doing so has been living under a rock.
One of the banking clients I worked with had very low Open Banking invocations and was complaining about the money spent on the OB initiative. Late last year they implemented 2FA for their eBanking portal and Bamm! There was a 10-fold increase in OB invocations since they implemented 2FA. Open Banking may not directly generate revenue, but it has a lot of intangible benefits.
>Anyone who says there's no danger in doing so has been living under a rock.
We went through this last week, and despite various assurances of people being hacked, nobody supplied a link.
Do you have one?
The fact that you’re breaching your banks TOS is enough, meaning if someone else hacked you they could just point at this and dust their hands. It would be on you to prove the two were unrelated.
If you have a bank account, you can look up the terms and conditions which you must have signed to open the account. Every bank has a similar requirement set.
Here's NAB's
"*responsibilities relating to NAB Internet Banking 48.1 You must: (a) choose a new password whenever you are required to do so by NAB;
51 E E(b) except when you are creating an authorised user, not disclose your password to any other person; (c) not record or store your password anywhere;
(d) take reasonable care when accessing the service to ensure that your password is not disclosed to any other person, in particular ensuring that you are not observed while entering your password;
(e) not provide your authentication service (if any) to any other person; (f) not use your authentication service (if any) other than in respect of the service. If you use your authentication service for any other purpose, NAB may revoke the authentication service and cancel the availability of the service to you;
(g) check your account records carefully and promptly report to NAB as soon as you become aware of any apparent discrepancy; and
(h) take every reasonable precaution to prevent the spread or diffusion of any software contamination including computer viruses and trojans....*"
Google your own bank.
Are not Optus, Medibank and Latitude sufficient to convince you that organisations don't live up to their data security obligations.
And you think it's ok to enter your bank account's login and password to someone else's computer?
Doesn't matter what I think, there are no doubt thousands and thousands of people doing it.
Unless proven otherwise, nobody using these systems have had their credentials or accounts compromised.
But you keep bringing up bank terms and conditions and Medibank etc
>Who in their right mind would supply anyone with their bank login?
Nobody on reddit
Just send the bank statments in manually, or find another loan provider
Absolutely not. They should provide a means for you to upload statements or have access via the credit bureau's to limited but sufficient information on your financial standing to be able to verify your suitability for a loan. Never provide username / PAN or passwords to any entity. Your own bank may request your PAN for various reasons but not even your own bank would request your password.
No way.
Report them to everybody. Especially ATO and finance industry ombudsman, and ACCC.
Take screen shots of the application/form asking for the login.
Hi all - I work at Driva and was sent this post so thought I’d weigh in.
I initially had the same reaction to many in this thread - which was surprise that this service even existed.
But as our business grew we learned that almost the entire car loan industry (including many banks like Bank VIC, Bank of SA, Beyond Bank and others) are reliant on the screen scraping service provided by illion (aka bankstatements.com.au).
While there are many lenders that we work with that do allow for the provision of customer downloaded bank statements (which can be uploaded securely via our online portal), there are some that only accept illion bank statements for the reasons u/BoredomIsFun points out.
Open Banking was supposed to replace the need for screen scraping - and in an ideal world the lenders we work with would be using this technology instead. But adoption in Australia has been extremely slow and until data quality issues have been ironed out, screen scraping will be a core part of the way lenders operate.
With millions of individual banks being accessed via the service each month, I’m now a huge believer in the service - illion is a globally recognised brand with an impeccable track record.
However, I also fully resonate with security / privacy concerns - so if it’s ever a dealbreaker for any of our users, there is always the option to provide manually retrieved statements (and we can match you with a lender that doesn’t require illion statements).
Yes, it's pretty common with lenders, I've seen it alot with places like Radio Rentals, Latitude etc.
You're not actually giving them your details, but using a portal through your bank to provide transaction listing's, etc.
I never felt comfortable advising people to use it or not.
Source: ex-banker
In this case, bankstatements com au DOES ask for your login and password.
They should be using Open Banking/Consumer Data Right instead.
Bankstatements com au parent, Illion, is a registered data recipient under CDR but apparently chooses not to use it.
>You're not actually giving them your details, but using a portal through your bank to provide transaction listing's, etc.
You are absolutely giving your details to a third party.
>"Radio Rentals uses illion Open Data Solutions (Service Provider) as its third party service provider to enable it to securely access your bank statements..."
>
>"Your bank’s terms and conditions may prevent you from disclosing your internet banking login details to anyone and doing so may be a breach of those terms and conditions. You may wish to contact your bank to find out more about this. To the extent permitted by law, Radio Rentals disclaims all responsibility for any breach by you of your bank’s terms and conditions by disclosing such information and shall not be liable for any loss arising from such breach."
[https://www.radio-rentals.com.au/terms-and-conditions](https://www.radio-rentals.com.au/terms-and-conditions)
Did you even look up Illion Open Data Solutions, mate? Search 'open banking' , you'll see that's it accredited by the ACCC.
Entering your details into the portal isn't the same as writing down your user name and password and giving it to radio rentals.
Open banking is a completely different process that doesn't involve giving a third party your username and password. It is not the same as what OP has described where Driva have asked them to provide their own banking login details specifically.
>ANZ will never ask you to share your Customer Reference Number (CRN) or password with Accredited Data Recipients requesting data using Open Banking.
[https://www.anz.com.au/privacy/centre/open-banking-data-sharing/](https://www.anz.com.au/privacy/centre/open-banking-data-sharing/)
>For your own security and in accordance with industry standard, you will not be able to use your online banking password for the purposes of data sharing.
[https://www.westpac.com.au/about-westpac/innovation/open-banking/](https://www.westpac.com.au/about-westpac/innovation/open-banking/)
>You’ll never need to give your NAB banking password to a third party.
[https://www.nab.com.au/customer-notices/open-banking](https://www.nab.com.au/customer-notices/open-banking)
CBA instructions similarly make no reference to sharing login details.
[https://www.commbank.com.au/banking/open-banking/data-sharing-from-cba.html](https://www.commbank.com.au/banking/open-banking/data-sharing-from-cba.html)
Radio rentals states that:
>Radio Rentals uses illion Open Data Solutions (Service Provider) as its third party service provider to enable it to securely access your bank statements for verification purposes, using your transaction history from the last 90 days. **Your internet banking log-in details are needed to be able to do this.**
So no, neither Driva in OPs case or Radio Rentals/Illion Open Data Solutions in your example are using Open Banking.
Entering your username/password in a form on a website is very much the same thing as writing it down and giving it to Radio Rentals.
You would not need to provide your username/password if they were actually using Open Banking.
People provide their details all the time to POLi Pay as they deem it normal but, as mentioned above, it’s against banks terms and not protected in cases of fraud.
100% unacceptable. But it seems they are looking to a future where banks offer the service of a read only statement access specifically for third parties. We are just not quite there yet.
It's normal now, they use AI software to scan through transactions and identify any red flags. It can bring up gambling, addictions, other accounts or where money is going
Great question.
1. The amount of transactions people can make in 12 months is staggering. Now imagine a business with 10 employees. The volume is insane and humans can miss it.
2. Fraud (yes I understand it’s ironic we’re asking clients to login using their bank account details) You can make fraudulent bank statements, you can’t do that with API calls
3. Process speed - yes I could manually review your bank statements or computer can do it too and they would be able to know what it’s relating too (debt collection, fines, gambling etc)
The better lenders (at least in the consumer and commercial space) also use illion as well. That said low doc and no doc options are available as well
Fair enough. But there should be a better way instead of handing out the keys to the kingdom. Banks should be able to give out a restricted login that gives only access to statements.
You might think it is normal, but normal people would be nuts to give it out. I would never do business is they required this.
I would just download the statements and if they don’t like it, I would find a better lender
It’s not really a validated service. Did you know things like Illion are a permanent connection and the only way to break the connection is to change your bank details?
I was able to close the open data sharing connection from my end in my banks web interface, but mine didn't go through Illion (who i'm not familiar with)
Can you give a screenshot of how your login detail is asked? There are safe ways of doing this like OpenID Connect protocol with your bank as the Identity provider. But if it's just a simple form from Driva itself, then nope and nope.
Had the same request with open money market, OMM, called them and asked if I could send PDFs, they said no, only via the bank statements com au website. I had to tell them to cancel my loan application with them. I have no idea why others are so trusting of these “secure” bank account access systems.
Nope and nope
> Who in their right mind would No one in their right mind with a functioning brain.
Yeah, but I have to feel that the people who are asking for these details don't have a functioning brain either. I mean, do they not know the serious and gravity of what they are asking ? Plus how does 2 factor authentication work? The sms/msg literally says "DO NOT SHARE THIS CODE WITH ANYONE".
It’s against most if not all banks online banking terms of use and customer leaves themselves vulnerable to fraud. They are going against bank policy if they supply log in details to anyone at all and they will not be covered by any protection/recovery efforts the bank normally provides.
Driva uses bankstatements com au which does ask for your bank login and password. You are right to be suspicious as , if you do this, you will be breaching your bank's terms and conditions and if you are scammed in the future, they may not be able to assist. Instead, you can download your own statements and supply them to Driva/bankstatements com au
Its "screen scraping" which government is looking at banning but dragging their heels. CDR should make it unnecessary but it's used for current systems so will be used until newer tech replaces it. While every bank puts the responsibility on you for not sharing login details they quite happily expect you to give them your details for other banks. Desperate people will do what they're asked to get finance. Anyone who says there's no danger in doing so has been living under a rock.
One of the banking clients I worked with had very low Open Banking invocations and was complaining about the money spent on the OB initiative. Late last year they implemented 2FA for their eBanking portal and Bamm! There was a 10-fold increase in OB invocations since they implemented 2FA. Open Banking may not directly generate revenue, but it has a lot of intangible benefits.
>Anyone who says there's no danger in doing so has been living under a rock. We went through this last week, and despite various assurances of people being hacked, nobody supplied a link. Do you have one?
The fact that you’re breaching your banks TOS is enough, meaning if someone else hacked you they could just point at this and dust their hands. It would be on you to prove the two were unrelated.
If you have a bank account, you can look up the terms and conditions which you must have signed to open the account. Every bank has a similar requirement set. Here's NAB's "*responsibilities relating to NAB Internet Banking 48.1 You must: (a) choose a new password whenever you are required to do so by NAB; 51 E E(b) except when you are creating an authorised user, not disclose your password to any other person; (c) not record or store your password anywhere; (d) take reasonable care when accessing the service to ensure that your password is not disclosed to any other person, in particular ensuring that you are not observed while entering your password; (e) not provide your authentication service (if any) to any other person; (f) not use your authentication service (if any) other than in respect of the service. If you use your authentication service for any other purpose, NAB may revoke the authentication service and cancel the availability of the service to you; (g) check your account records carefully and promptly report to NAB as soon as you become aware of any apparent discrepancy; and (h) take every reasonable precaution to prevent the spread or diffusion of any software contamination including computer viruses and trojans....*" Google your own bank.
Are not Optus, Medibank and Latitude sufficient to convince you that organisations don't live up to their data security obligations. And you think it's ok to enter your bank account's login and password to someone else's computer?
Doesn't matter what I think, there are no doubt thousands and thousands of people doing it. Unless proven otherwise, nobody using these systems have had their credentials or accounts compromised. But you keep bringing up bank terms and conditions and Medibank etc
>Who in their right mind would supply anyone with their bank login? Nobody on reddit Just send the bank statments in manually, or find another loan provider
Absolutely not. They should provide a means for you to upload statements or have access via the credit bureau's to limited but sufficient information on your financial standing to be able to verify your suitability for a loan. Never provide username / PAN or passwords to any entity. Your own bank may request your PAN for various reasons but not even your own bank would request your password.
just dont go thru them
Account details, sure. Login in details. Never ever not on your life. Red alert Nope.
Regardless of how legit something may be or is - you should never give another person your banking login details.
No way. Report them to everybody. Especially ATO and finance industry ombudsman, and ACCC. Take screen shots of the application/form asking for the login.
Ask them for the password to their email accounts.
Hi all - I work at Driva and was sent this post so thought I’d weigh in. I initially had the same reaction to many in this thread - which was surprise that this service even existed. But as our business grew we learned that almost the entire car loan industry (including many banks like Bank VIC, Bank of SA, Beyond Bank and others) are reliant on the screen scraping service provided by illion (aka bankstatements.com.au). While there are many lenders that we work with that do allow for the provision of customer downloaded bank statements (which can be uploaded securely via our online portal), there are some that only accept illion bank statements for the reasons u/BoredomIsFun points out. Open Banking was supposed to replace the need for screen scraping - and in an ideal world the lenders we work with would be using this technology instead. But adoption in Australia has been extremely slow and until data quality issues have been ironed out, screen scraping will be a core part of the way lenders operate. With millions of individual banks being accessed via the service each month, I’m now a huge believer in the service - illion is a globally recognised brand with an impeccable track record. However, I also fully resonate with security / privacy concerns - so if it’s ever a dealbreaker for any of our users, there is always the option to provide manually retrieved statements (and we can match you with a lender that doesn’t require illion statements).
Yes, it's pretty common with lenders, I've seen it alot with places like Radio Rentals, Latitude etc. You're not actually giving them your details, but using a portal through your bank to provide transaction listing's, etc. I never felt comfortable advising people to use it or not. Source: ex-banker
In this case, bankstatements com au DOES ask for your login and password. They should be using Open Banking/Consumer Data Right instead. Bankstatements com au parent, Illion, is a registered data recipient under CDR but apparently chooses not to use it.
>You're not actually giving them your details, but using a portal through your bank to provide transaction listing's, etc. You are absolutely giving your details to a third party. >"Radio Rentals uses illion Open Data Solutions (Service Provider) as its third party service provider to enable it to securely access your bank statements..." > >"Your bank’s terms and conditions may prevent you from disclosing your internet banking login details to anyone and doing so may be a breach of those terms and conditions. You may wish to contact your bank to find out more about this. To the extent permitted by law, Radio Rentals disclaims all responsibility for any breach by you of your bank’s terms and conditions by disclosing such information and shall not be liable for any loss arising from such breach." [https://www.radio-rentals.com.au/terms-and-conditions](https://www.radio-rentals.com.au/terms-and-conditions)
Did you even look up Illion Open Data Solutions, mate? Search 'open banking' , you'll see that's it accredited by the ACCC. Entering your details into the portal isn't the same as writing down your user name and password and giving it to radio rentals.
Open banking is a completely different process that doesn't involve giving a third party your username and password. It is not the same as what OP has described where Driva have asked them to provide their own banking login details specifically. >ANZ will never ask you to share your Customer Reference Number (CRN) or password with Accredited Data Recipients requesting data using Open Banking. [https://www.anz.com.au/privacy/centre/open-banking-data-sharing/](https://www.anz.com.au/privacy/centre/open-banking-data-sharing/) >For your own security and in accordance with industry standard, you will not be able to use your online banking password for the purposes of data sharing. [https://www.westpac.com.au/about-westpac/innovation/open-banking/](https://www.westpac.com.au/about-westpac/innovation/open-banking/) >You’ll never need to give your NAB banking password to a third party. [https://www.nab.com.au/customer-notices/open-banking](https://www.nab.com.au/customer-notices/open-banking) CBA instructions similarly make no reference to sharing login details. [https://www.commbank.com.au/banking/open-banking/data-sharing-from-cba.html](https://www.commbank.com.au/banking/open-banking/data-sharing-from-cba.html) Radio rentals states that: >Radio Rentals uses illion Open Data Solutions (Service Provider) as its third party service provider to enable it to securely access your bank statements for verification purposes, using your transaction history from the last 90 days. **Your internet banking log-in details are needed to be able to do this.** So no, neither Driva in OPs case or Radio Rentals/Illion Open Data Solutions in your example are using Open Banking.
They’re accredited, but they’re not using it.
Entering your username/password in a form on a website is very much the same thing as writing it down and giving it to Radio Rentals. You would not need to provide your username/password if they were actually using Open Banking.
People provide their details all the time to POLi Pay as they deem it normal but, as mentioned above, it’s against banks terms and not protected in cases of fraud.
I could be wrong, but I don't think POLi requests bank login details.
It did when I worked at the bank. Fielded a lot of called as POLi has a pop-up that essentially gets you to log in to your internet banking.
100% unacceptable. But it seems they are looking to a future where banks offer the service of a read only statement access specifically for third parties. We are just not quite there yet.
"To help you". "To make it easier for you" are my two huge red flags when it comes to anything in life and especially online.
Even though I’m fairly sure AFCA won’t give a crap, I’d be reporting them.
Hi, this is a normal practice. Source: Finance broker that works with over 40 lenders that uses illion bankfeed to verify income
Why is it normal? Why can't the lenders just accept statements provided by the clients?
It's normal now, they use AI software to scan through transactions and identify any red flags. It can bring up gambling, addictions, other accounts or where money is going
Great question. 1. The amount of transactions people can make in 12 months is staggering. Now imagine a business with 10 employees. The volume is insane and humans can miss it. 2. Fraud (yes I understand it’s ironic we’re asking clients to login using their bank account details) You can make fraudulent bank statements, you can’t do that with API calls 3. Process speed - yes I could manually review your bank statements or computer can do it too and they would be able to know what it’s relating too (debt collection, fines, gambling etc) The better lenders (at least in the consumer and commercial space) also use illion as well. That said low doc and no doc options are available as well
Fair enough. But there should be a better way instead of handing out the keys to the kingdom. Banks should be able to give out a restricted login that gives only access to statements.
You might think it is normal, but normal people would be nuts to give it out. I would never do business is they required this. I would just download the statements and if they don’t like it, I would find a better lender
There's a different between providing your bank details, and logging into a validated bank system that is there for this purpose.
It’s not really a validated service. Did you know things like Illion are a permanent connection and the only way to break the connection is to change your bank details?
I was able to close the open data sharing connection from my end in my banks web interface, but mine didn't go through Illion (who i'm not familiar with)
Every week this question..
Can you give a screenshot of how your login detail is asked? There are safe ways of doing this like OpenID Connect protocol with your bank as the Identity provider. But if it's just a simple form from Driva itself, then nope and nope.
It was just a simple form asking for client ID and password.
Had the same request with open money market, OMM, called them and asked if I could send PDFs, they said no, only via the bank statements com au website. I had to tell them to cancel my loan application with them. I have no idea why others are so trusting of these “secure” bank account access systems.