Bank Account Credential Collection

What it is

Stash collects your bank account login credentials, meaning the username and password you use to log into your external bank account, in addition to your Social Security number and other highly sensitive financial identifiers.

Why it matters (compliance & governance perspective)

Collection of bank login credentials is associated with account aggregation services that access your external financial accounts on your behalf; this practice involves significant security considerations and may be subject to regulatory scrutiny regarding data access standards and consumer protection.

Consumer impact (what this means for users)

Stash collects your actual bank account login credentials as part of account linking, which means providing a third party with the ability to access your external financial accounts; consumers should understand what access is granted and whether it persists after initial linking.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The collection and use of consumer bank login credentials for account aggregation engages the CFPB's regulatory posture on financial data access, including the CFPB's Personal Financial Data Rights rule (Section 1033 of the Dodd-Frank Act), which addresses standards for consumer-authorized data access. The FTC Act applies to material omissions about the scope and security of credential-based account access. The GLBA applies to the security and handling of nonpublic personal financial information. The CFPB is the primary enforcement authority for Section 1033 compliance. GOVERNANCE EXPOSURE: High. Collection of bank login credentials is a practice subject to increasing regulatory scrutiny. The CFPB's Section 1033 rulemaking addresses the conditions under which third parties may access consumer financial accounts and places requirements on data minimization, security, and revocation of access. Compliance with these emerging standards is a material governance consideration for Stash's account aggregation practices. JURISDICTION FLAGS: US federal exposure through CFPB is primary. State-level exposure may arise under state unfair and deceptive practices statutes if the scope of credential-based access is not clearly disclosed. New York's NYDFS cybersecurity regulation imposes specific requirements on entities handling sensitive financial data including access credentials. CONTRACT AND VENDOR IMPLICATIONS: If a third-party account aggregation vendor (such as Plaid or similar) processes bank credentials on Stash's behalf, the vendor agreement should address data minimization, retention limits, access revocation procedures, and alignment with CFPB Section 1033 requirements. Liability allocation for credential-based security incidents should be addressed in vendor contracts. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should review whether Stash's credential collection and account aggregation practices align with CFPB Section 1033 rulemaking requirements, including consumer disclosure, data minimization, and revocation of access. Security practices for credential storage and transmission should be audited. The policy should clearly explain how long credential-based access persists and how consumers can revoke it.

Applicable agencies

Provision details

Other risks in this policy

• Anonymized Data Carve-Out medium
• Selfie and Government ID Collection for Identity Verification medium
• Third-Party Data Sharing for Marketing and Analytics medium
• California Residents Privacy Rights (CCPA/CPRA) medium
• Do Not Track Non-Response medium
• Customer Service Call Recording low