Nova Scotia·CBC Investigates

Privacy experts slam National Bank asking customers for their password at other banks

Privacy experts are dumbfounded by the National Bank of Canada's policy of asking potential customers who want to open a new online account remotely to give them their account number and password for an account at another bank.

'Unprecedented and completely privacy invasive,' says former privacy commissioner

Paul Kaminsky was surprised when he was asked to provide login access to an account at another bank when he tried to open a new online account with National Bank of Canada. (Dianne Kaminsky)

It's the mantra virtually everyone has heard from privacy experts, their banks and anti-fraud investigators: Never give anyone your banking passwords or access to your online accounts.

Paul Kaminsky has heard it many times, too, and that's why the Edmonton resident couldn't believe it when he was asked to provide his account number and password from another bank as he tried to open a new online account with National Bank of Canada.

"Boy, that's a first for me," Kaminsky said.

The message on National Bank's website said "You must provide your sign-in access to another major Canadian financial institution."

Kaminsky had no problem providing his bank account number, but he wasn't prepared to give up his password. That's because banks make you liable for any fraudulent charges on your account if you share your banking access information.

'Never tell anyone your password'

Even National Bank warns its customers not to divulge their banking info.

Tell us what you think!

Help shape the future of CBC article pages by taking a quick survey.

"Never tell anyone your password," says a post on its website.

"This rule applies even to members of your family and anyone claiming to be a National Bank employee. Remember, your password is like the key to your house. You must take all the necessary precautions to prevent it from falling into someone else's hands."

However, National Bank makes no apologies for requesting the information, saying it "is scrubbed 100 per cent" and called the requirement an "innovative" way for customers to create an online account without having to visit a bricks-and-mortar bank.

Former Ontario privacy commissioner Ann Cavoukian says National Bank's request for customer login information for another bank is 'unprecedented.' (Onnig Cavoukian)

"I've never been confronted with that before in all my 20 years of online banking," Kaminsky said.

Neither banks Simplii nor Tangerine — which are online only and don't have traditional brick-and-mortar banks — require customers opening an account to provide access to an account at another bank.

Kaminsky erred on the side of caution, logged off and didn't go ahead with opening an account with National Bank.

He emailed the bank asking if they were really serious about the requested information and how they would feel about one of their clients giving access to a National Bank account. He said he hasn't received a response.

'Unprecedented' request, says privacy expert

Privacy experts see it differently. 

"I've never heard of such a thing. It's unprecedented and completely privacy invasive that they would ask for your [password], which only you should have. That's not something you share with a bank," said Ann Cavoukian, former information and privacy commissioner of Ontario.

She said the request reflects no understanding of the sensitivity of the information.

Sharon Polsky, president of the Privacy and Access Council of Canada, says people who give their banking info to others may be liable if they're victims of fraud. (Submitted by Sharon Polsky)

"Everybody's been hacked these days and data breaches abound, so why would you reveal this information if you don't have to?" Cavoukian asked.

Sharon Polsky, president of the Privacy and Access Council of Canada, called the request "startling" and said there are other ways of verifying a person's identity that are less invasive and risky, such as credit bureau checks.

"I'd suggest that National Bank is being a bit heavy-handed and they might want to revisit what information they are collecting," Polsky said. 

National Bank cited regulations from the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as the basis for asking for access to a potential customer's existing account.

The head office of the National Bank of Canada is seen in Montreal on April 21, 2017. (Ryan Remiorz/Canadian Press)

FINTRAC is the government body established to prevent money laundering and the financing of terrorist organizations. Its regulations set the rules for the information required by banks when customers open an account.

In an email to CBC News, FINTRAC spokesperson Renée Bercier said one way for a bank to confirm a customer's identity is to refer to information that includes a person's name and confirms they have an account with a financial entity.

However, she said and noted in boldface type that "Nothing in the Act or Regulations requires a business to collect the login details of any person or entity."

Bercier said in cases where this happens, "the business offering the service typically does not not have access to the information that is entered," although she said FINTRAC can't speak to National Bank's practices.

National Bank stands behind its approach

National Bank's senior manager of everyday banking solutions, Mariana Elizalde, said National Bank's processes are secure.

"We have many people that have gone through the process and opened an account online," she said, adding if someone is uncomfortable in providing access to their bank account, they can go to a National Bank branch instead.

As for requiring access to another bank account, Elizalde said that information isn't kept by National Bank.

"It is scrubbed 100 per cent," she said.

However, that doesn't satisfy Cavoukian, the former Ontario privacy commissioner. She'd like to know how the information is scrubbed and whether it's retrievable.

"I have no idea what would happen in this instance, but [them] just expecting me to trust them? No," said Cavoukian.

'Ask questions,' says privacy body

The Office of the Privacy Commissioner of Canada declined comment, saying it hasn't examined the specifics of this case.

"Our general advice to individuals who are uncomfortable with a request for information is to ask questions," spokesperson Vito Pilieco wrote in an email.

He said if people are not satisfied with the response and believe there has been a violation of federal privacy laws, they have a right to file a complaint with the federal privacy commissioner.

The Canadian Bankers Association (CBA) — of which National Bank is a member — cautions people on its website against disclosing their banking information.

"Although your bank may contact you by text, email and phone they will never ask you to disclose personal information such as your credit card number, PIN or online banking password as they already have that information," it said.

"If you are unsure about any communication you receive, contact your bank using a phone number or email address that you know is legitimate."

Bankers association: 'acceptable'

CBA spokesperson Mathieu Labrèche said that comment is intended to educate people on how to avoid phishing, scams and other illegitimate acts, such as those that have not been initiated by a customer.

"Sharing sign-in access with another Canadian financial institution for a legitimate purpose, such as opening an account online, is acceptable," Labrèche said.

The Canadian Anti-Fraud Centre, which collects information on internet fraud and identification theft complaints, doesn't recommend people share their login details with anyone.

"Not to mention, I don't think banks will even ask their customers for this information," spokesperson Jeff Thomson said in an email.

Polsky urges people to protect their private information.

"It's important for people to become better aware of their rights and responsibilities and to question things, not to meekly give up information because they were asked," Polsky said, adding if people are uncomfortable with a request, they should ask what other information can be provided instead.



Yvonne Colbert

Consumer Watchdog

Yvonne Colbert has been a journalist for nearly 35 years, covering everything from human interest stories to the provincial legislature. These days she helps consumers navigate an increasingly complex marketplace and avoid getting ripped off. She invites story ideas at