The audacity of accountchek.com

Question

Maybe I'm being overly sensitive as an IT professional who has a security mindset, but I am doing a mortgage refinance right now. My lender, who is legitimate (I used them a few years ago for the original purchase of my home), is asking me to help them verify my bank account balances via a service called accountchek.com (not to be confused with accountcheck.com).

Apparently the way this service works is that you go to the site, put in your e-mail address, the last 4 digits of your SSN, and some code that your lender pre-configured for you. Once you do that, it asks you for the username and passwords of all of your bank accounts so it can verify your balances. I called my lender and asked incredulously if they seriously expect me to do this. Yes, yes, they do.

Is it just me, or does this go against everything we've ever been taught about giving out passwords to third parties? I guess this is sort of a meta, philosophical question rather than one that has to do with technology, but since technology is in the mix here, I thought I'd request some feedback.

I'd be looking for a new lender. Or if you must comply, immediately change all your passwords after the service has run its checks. — iainpb, Jul 10 '17 at 16:02
Changing passwords immediately afterwards is an excellent idea... if I do go through with it. — theglossy1, Jul 10 '17 at 16:08
Follow-up... my lender (who I know and is a nice guy) said that he understands my concerns and they will just do it the old-fashioned way for me. Good deal. — theglossy1, Jul 10 '17 at 16:16
Ask your bank what they think about this, chances are they can just send the info without the access. What could their plan be for two factor authentication? — , Jul 10 '17 at 16:17
Just ran into it, and found out what their solution to 2fa and security questions is: accountchek just asks for those as well. — trutheality, Mar 21 '19 at 20:28
I personally blame the banks. It's 2019 and they haven't provided a way to delegate privileged information to 3rd parties. My financial data shouldn't have to be reified into PDF in order to submit it to other providers. — acjay, Dec 30 '19 at 06:41

score 9 · Answer 1 · answered Jul 10 '17 at 20:31

This is a very bad idea, but yes, various aggregators do exactly this. One of the few upsides of the new Open Banking and PSD2 regulations will mean aggregators are no longer going to need this sort of nonsense, as banks will provide APIs to share data.

It does present a huge challenge around understanding where data loss may have occurred after an incident, but for the customer there is a massive increase in security in not putting all these username and password combinations in aggregators database.

score 3 · Answer 2 · answered Apr 07 '18 at 01:59

We are in Apr 2018 right now and I just went through this same nonsense with my lender. When I saw the requirement for my login credentials to be put in, that drew a red flag. I called one of my banks, SFCU, and they kept me on hold while they checked and double checked about 'Accountchek.' They came back and said three important things: 1. I will be doing it at my own risk as they have never heard of such a requirement 2. I will be compromising my login credentials by allowing a 3rd party to access it 3. If I have to do it, they are strongly advising me to go back and change the passwords after I have completed the check

Bottom line, I refused to do it which did not make my lender happy, but he said to use their document center for a secure upload!

I cannot believe that there are actually institutions, which expect clients to do this!!!

Get a different lender? It's a red flag. There's many lenders that don't do this sort of crazy stuff. — Steve Sether, Feb 19 '20 at 19:12

score 2 · Answer 3 · answered Feb 13 '20 at 03:04

Anyone who has been requested to use the service should pay special attention to the privacy policy and terms of service(TOS) for AccountChek's parent company FormFree Holdings Corporation

https://www.formfree.com/privacy-policy/

The information provided by the lender includes the borrower’s name, e-mail address, telephone number, the last four digits of his/her Social Security Number (for identity authentication), the name of the borrower’s employer(s), the amount of the borrower’s net paycheck, the amount of required reserve funds, the loan number, and the names of financial institutions and accounts that are to be verified through the online service.

Since even if you do not decide to use the service you may still need to request that your personal information already provided by your lender should be removed from their system.

Also if you do decide to use the service you may want to note AccountChek's TOS

https://verifier.accountchek.com/tos

DISCLAIMER OF WARRANTIES

YOU EXPRESSLY UNDERSTAND AND AGREE THAT: ... ACCOUNTCHEK MAKES NO WARRANTY THAT ... (ii) THE SERVICE WILL BE ... SECURE ...

The audacity of accountchek.com

3 Answers3