Using one of the popular personal finance apps intended to help you manage your money requires a step that causes some people to pause: when the app or site asks you for the passwords to your bank accounts and credit cards.
How safe is it really to turn over the password to the Bank of You? Aren’t we all constantly advised to do just the opposite, as in, don’t ever give anyone your password to anything or you will be inviting digital death and destruction?
We live in an era of data breaches, identity theft and online fraud. Heck, we’ve even cautioned against posting something as innocuous as your mother’s maiden name on Facebook because you’d be giving away the answer to a popular bank security question.
But platform developers and managers of these personal finance apps say they need your confidential information in order to help you manage your money. They promise they can find ways to reduce your bills, help you pay off debt, sock more away in savings, and learn how to invest wisely. Plus, they promise to protect your private data with multiple layers of encryption and security best practices.
Online security experts have strong thoughts about the wisdom of giving out your personal security information to third parties. It’s a game of “who do you trust?” they say. And, as with every online platform we use, it’s a matter of balancing the risk you’re taking against the potential reward.
And yes, there is undeniably a risk.
Find the sweet spot.
If a platform is claiming it is unhackable, well, just run, said Stephanie Carruthers, a “white hat” or ethical hacker known as Snow, whose clients include Fortune 100 companies as well as startups. Nothing is unhackable, she said.
While Snow recommends against any money-management platform that asks for your security information, she told HuffPost that “most of these apps have value and can be beneficial.”
The trick is to find the sweet spot, where the benefit justifies the risk. Carruthers suggested reading an app’s terms of service agreement to know how the information you provide will be used and the responsibility of the data collector. In other words, if the information you provide is compromised, what risk is there to you and your money?
Ilian Georgiev is a co-founder of HiCharlie, a relative newcomer to the personal finance management-by-app niche. He compares using his platform to the level of trust we already show when we shop on Amazon or anywhere else online. “Each time you hit the order button and implicitly believe that what you ordered will actually be delivered, you are showing trust,” he said.
For a business like his, Georgiev told HuffPost, a security breach would be the kiss of death ― an end to the company. Financial management platforms use multi-level security protection steps, he said, because to do otherwise would flirt with disaster.
So when you give HiCharlie your bank information, no live person ever actually sees it, he said. The service cannot move your money or transfer it out of your control to another account. The real-world equivalent, he said, is that someone gets into your trash can and finds a bank statement that doesn’t have your name on it. They would see a transaction record, but not know whose it is.
Georgiev said that a user’s bank credentials (e.g., username and password) never go through HiCharlie’s system, which only gets a list of a user’s transactions that is stored using bank-level 256-bit end-to-end encryption, in anonymized encrypted databases, with very strict access controls.
When you enter your bank credentials, you are actually doing so on a form provided by a third-party bank data aggregator called Plaid. It’s a system used by most personal finance apps, like Venmo, Robinhood and Acorns. Plaid, in turn, is trusted by a long list of banks and credit unions. HiCharlie never sees your bank credentials; Plaid does. HiCharlie simply gets bank transaction logs from Plaid, Georgiev said.
But some apps do store user credentials. Acorns, which rounds up your spending transactions to the nearest dollar and banks the difference for you, does get permissions to move money on behalf of the customer.
Still, trust is hard, Georgiev acknowledged. He and his co-founders posted their photos on HiCharlie, as well as the names of the investors who backed them with a list of other ventures those investors previously were associated with.
It’s intentional, Georgiev said. “We want people to trust us. And so we put our faces out there.”
Read the fine print.
Zouhair Belkoura, founder of the privacy protection suite of apps known as Keepsafe, suggests that before using a personal finance management platform, people should take a hard look at how far the platform is willing to go to stand behind its safety claim.
“Does the service apply the same rigor as a bank to ensure that if fraud or a breach does occur, it will ensure customers are made whole?” Belkoura asked.
The short answer to that last part is probably not. Most don’t. If the platform is hacked and your money misappropriated, the third-party platform will likely not replace it for you. And it’s a point of debate whether your bank will, because the terms of service agreement for your checking account most likely admonishes against giving third-party sites access to your account information. Banks discourage the use of these apps, although some consumer advocates argue that’s because banks just want to be able to market products to you directly and don’t appreciate another business getting between them and their customers.