There are several third party providers who offer intra-bank payment and account information services for e-banking clients. To access client bank accounts, they usually request and use client e-banking access data. Passing on personal access data to third parties however can lead to severe security risks for you as a client. In addition, third parties can then transfer your bank client data from banks’ very strongly regulated systems (FINMA, banking legislation, etc.) to environments which are less strictly controlled.
- not passing on your personal access data (password, PIN,
ID number, etc.) for e-banking purposes to anyone, i.e. to no other person or any third party providers.
High-risk use of intra-bank online services
Potential services by third party providers using clients’ personal e-banking access data include such facilities as accessing bank accounts held with different financial institutions via just one platform. But watch out - by passing on your personal e-banking access data to any such platform, you are running severe security risks.
Impersonation as a security risk
To access their clients’ bank accounts, third party providers usually use something called impersonation. To this end, they ask their clients for their personal access data (e.g. password and ID number) for their e-banking facility and then use these data to obtain unlimited access to these accounts in their role as an intermediary. If you as a client pass on your personal access data in this manner, this is similar to you booking your holidays at a travel agency and then simply logging on the travel agent into your e-banking account and then leaving the shop - blindly trusting that the travel agent will now actually only debit the amount owed by you from your account, and will then log out again straight away. Any nosy employee might as well just have a look at how much salary you are paid, and if they have malicious intentions, they could even try to finance their own holidays from your account. Technically speaking, the use of impersonation is identical to the approach used in classic-style phishing attacks, even if the third party provider is a respectable one!
With any inappropriate use of your personal access data, your bank will hardly be able to tell whether it is you (the client), a third party provider instructed by you or - in the worst case scenario - a criminal intermediary they are communicating with. This means financial institutions can no longer act with a sufficient degree of due diligence, for instance with regard to protecting their bank client data.
Loss of control over bank client data
While Swiss financial institutions are subject to strict guidelines to protect their bank client data and the security of their systems, third party providers can save and process large amounts of data in environments which are much less well regulated. These systems are sometimes neither owned nor controlled by them, because third party providers often use so-called cloud solutions, where the exact storage location of data is often unknown. And as a rule, Swiss bank client confidentiality does not apply to such systems either!
The effects of this loss of control over the storage of personal data are incalculable. And if nothing else, this can make it easier for criminals to obtain access to personal bank client data.
Please be careful
Both impersonation and the non-regulated processing and storage of bank client data harbour significant risks for you. «eBanking – but secure!» therefore advises against passing any personal e-banking access data to third parties at all.