Why banks want you to drop Mint, other 'aggregators'

Millions of people share their bank account passwords with third-party sites and apps that help them track their spending, but some of the biggest financial institutions, wary of hacking risks, are trying to scare people into not using them.

JPMorgan Chase & Co. and Capital One Financial Corp., for example, warn on their websites that customers could be liable for any fraud in their accounts — even though federal regulations say otherwise.

The banks' warnings, however, are off base.

Federal banking rules known as Regulation E sharply limit customers' liability for unauthorized electronic transactions from their accounts, provided they report the fraud promptly.

The rules say that customers' negligence — such as writing a PIN on a debit card — does not increase their liability.

A customer would be on the hook for unauthorized transactions if she gives her card or credentials "and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given," the rules say. Customers are fully liable for the transfers until they notify the financial institution that the person is no longer authorized to use the account.

That is the passage that Chase and other banks point to when warning people they may be liable if they share credentials with a third party.

"When you give Mint your bank password, you don't give them permission to make transfers," Saunders said. "You don't need to be a lawyer to understand that you are not a consumer who 'grants authority to make transfers.' "

Even when people use a bill-pay app that does move money, they are granting access to the app — not to hackers who steal their credentials.

Who would be liable, though, is an unsettled question of great concern to banks. The Wall Street Journal reported last week that JP­Morgan Chief Executive Jamie Dimon discussed with Consumer Financial Protection Bureau chief Richard Cordray the security risks posed by aggregators.

Chase and the CFPB declined to comment. Intuit declined to comment on the banks' warnings, saying in a prepared statement: "Delivering secure and seamless connectivity is a shared priority across Mint and thousands of our financial institution partners."

It is worth pointing out that Mint has never had to announce a security breach — unlike Chase, which last year reported a cyberattack had compromised 83 million of its accounts.

Rather than scaring people, the financial sites and banks should work together to create a common secure standard for sharing information — one that might involve app-specific passwords, Sullivan said.