Should I provide my username and password for my brokerage account to my mortgage lender to verify my assets?
I’m applying for a mortgage, and found a potential lender from a referral from my real estate agent. The initial application process seemed normal and very similar to what I’ve experienced with other banks. I expected to verify my assets by providing documentation such account statements, but was instead asked to link my bank accounts with them using a third party website (The domain name is finicity.com - so I’m fairly sure it’s this).
The lender set my expectations with this via email:
What we don't do:
We don't ever see or have access to your login information.
We don't use your information for any other reason than to process your loan.
We don't have access to take any actions in your accounts - we access read-only information, just like the documents you'd otherwise
have to send.
I have a checking account with Chase and linking the account with the lender was done by redirecting to Chase.com (where my password manager automatically filled in my username and password) and enabling some permissions. Chase sent me an email and the lender appears as a linked application. This strikes me as entirely legitimate.
However, I have a brokerage account with Vanguard, and the service is asking for my username and password. I am VERY uncomfortable with this.
Is this a reasonable request nowadays? Or should I push back and insist on verifying my assets with account statements?
(7)7 Comments
Sorted by latest first Latest Oldest Best
If you trust the site that is requesting it, then it's probably fine. Unfortunately it's becoming commonplace now for various applications to legitimately ask you to login with your username and password into third party applications. One obvious example is accounting software, which can request and store your credentials for all of your banks so that it can sync your accounts automatically. This is a great convenience, but you must trust that the mechanism and location used to store your credentials is secure. When websites request your credentials for third party applications, typically they don't need to store your credentials for future use, but you'll have to take their word for it that they aren't storing it, or again if they are storing that they are using a mechanism and location that is secure. Even well-intentioned sites that use standard best practices for their storage of user credentials are still vulnerable to attack, both from external sources or possibly even rogue internal employees.
The main downside to this trend is we can no longer preach the absolute rule that no one should ever ask for your password. Now we all have to make decisions about who is legit and who might be trying to scam us. As soon as people are forced to make decisions, mistakes will inevitably be made.
There are however simple counter measures we can take, at least to stay safe when using the one-time request for passwords such as the scenario in this question of verifying a single bank statement. Either of these will suffice:
Before providing your username and password to a third party application, change your password. Once the application is finished with it, change your password back to one you like.
(Better) After giving your password out to someone you don't want to know it long term, change it shortly after to a new random password.
I strongly encourage everyone to use a password manager, and with few exceptions even you don't need to remember your passwords. Let them all be long, complex, and random, and you can change them anytime you wish without having to worry about remembering a new one. Just make sure that you store your encrypted master password file in a place you can access from anywhere. For example, I store mine (KeePass) in a cloud (Google Drive) account, and I have cached copies of it on my phone and all my laptops in case I'm not online when I need it. (Though it's extremely rare that you would need it when you aren't online!) Once you have this you only need to actually remember two passwords: the login to your cloud storage account, and the long and complex password to your master password file. Another nice thing about this is you don't have to remember your usernames either, and you can even put unique bogus answers in for your security answers, as long as you record them in your password file. One time someone kept trying to login to my Bank of America account and locked me out multiple times. I simply changed my username to something no one else would try (and I actually don't remember what it is, nor do I have to) and it never happened again.
No, this is terrible security practice. But it is surprisingly common among banks, see e.g., this related question.
Your decision here is going to come down to how much you trust Finicity to do what they say. (I did once with a similar site, not long ago, and it hasn't come back to get me.)
But again, this is terrible security practice, and the companies shouldn't be doing it.
EDIT: This is the analogy that comes to mind: it's like teaching children to play a game where you try to find a hidden gun and then play Russian roulette with it when you do. Even if it's not guaranteed death, it's still inculcating atrocious and dangerous habits in users. The user who types their credentials into Finicity is more likely to type them in for the next phishing email they receive.
Basically, it comes down to this.
Sites that provide ways to access the needed information, such as Chase, will allow services such as Finicity to follow something called an "implicit grant" resource access pattern.They make a request to Chase for some info, Chase asks you to login and (then probably) give permission. In such a case, Finicity never sees your login info at all.
It looks like Vanguard doesn't have that kind of service, so Finicity has to resort to something called the "ROPC" pattern (in other words, the "password" pattern). This involves getting your login info and logging in on their end.
EDIT: ROPC implies granting limited access, through the username/password and a client/application id. If Vanguard doesn't have that sort of service (and there's no reason to expect them to), then this is likely just a password login, in which they load some screens and scrape the data from them. In this direct login case, the scope of what they can do programmatically increases, but I don't think it particularly increases the danger. The worst case is still the same and it still requires a bad actor.
If they're following best practices, they'll never log any of your info and clear it immediately after gaining the access that they need. No dev or observer should ever see your info.
But there is no way to guarantee that they follow best practices.
If you don't trust them, there should be no issues with providing the info to the lender in another manner. They may say no, in which case you'll have to decide if you wish to trust them or not.
The changing your password part is a good idea if you do decide to submit your info to them, but note that if you do it too soon, it may invalidate the login and you'll have to do the process all over again.
Worst case scenarios:
?Scam site. Likely? I didn't look at them, but if required by your bank, probably not.
?Poor logging or caching practices. Certainly possible, but not an issue unless someone internal decides they want to retire in the Bahamas, or their logs leak somewhere.
Likely business usecase:
The program logs in, gets the info it needs, then clears the login info.
No.
Do not provide YOUR login to ANYone, not even your dog.
Broker statements are sufficient proof of your holdings, as they would contain your ID as well.
Any settlements or transfers between your brokerage account & bank account could be additional proof when reconciled with your bank statements.
The interaction you described is a common and routine part of Internet applications today, but it can sometimes be challenging for non-technical users to figure out what's going on. In simple terms, here's what happens:
An information provider (Google, Facebook, Twitter, your bank) includes a mechanism in its software for third parties to perform some sort of operations, such as seeing your list of friends or your account balances. This mechanism is called an API.
To use the API to access your information, the other site (the mortgage lender here) has to get your permission. The way that this happens is that it sends your browser to the hosting site (Chase) with a request for permission. Chase verifies your identity (usually through a normal login), asks you if you want to allow the access, and then sends you back to where you started with a token that the mortgage lender can use to make API requests.
The mortgage lender then uses the API that Chase published, along with the token you authorized, to retrieve your balances.
Whenever you like, you can go to a site that has issued a token for you and review or cancel the permissions. Here are the management links for a Google Account, Facebook, and Twitter.
It's likely that you use this kind of access all the time without recognizing it; for example, I log into about 20 different sites for work using a Google Account associated with a company, and I even use my personal Gmail account to log in to this site! Any time you use a link that says "Log in with ...", this is what's happening. (Next time, you might notice that when logging in to a new site you see something like "This site will be able to see your name and e-mail address.")
The most important practical question is the one that is the foundation of your post here: How do I know that I'm really on my bank's Web site? This is the same as any other time that you're logging in. In fact, if you were already logged in, most sites won't ask you to re-authenticate if there's a token request. (Your bank might anyway because of the sensitivity and rarity of the request.) There have been tons of electrons spilled over this, but the best way is to use a password manager that auto-detects the site, which is exactly what you're already doing. (In fact, one of the reasons to use a popup for something like this is specifically so that a password manager will more reliably detect the true site address.)
In the case of the Vanguard prompt that you showed, if this is on the lender's site, then something is in fact fishy. I know of some legitimate sites that do this because SomeBankCo doesn't provide an API; Mint did this for years before it became common. (I'd still steer clear personally, though.) However, the lender's statement that they don't see your login credentials means that you should absolutely expect them not to ask for them. If the screenshot you showed is from Vanguard's site (it doesn't look like it), then all would be okay, but the combination of the lender's assurance and the fourth-party prompt would send me back to paper (and complaining loudly to the lender).
I am not going to answer based on the technology. Other answers have focused on that.
Instead I am going to focus on what information you have to provide. You only need to establish that you have the income to service the debt, that your required monthly payments are manageable and you have the money in cash or near cash to pay the down payment and the closing costs.
If you have money in a 401(k) or IRA, the lender doesn't need that information to make a loan decision, unless you are using those funds for the down payment. If you have money in a taxable investment account, and aren't using it for the down payment they don't need to know the balance.
Again if the money in that account is not a source for the amount you are putting down, then they don't need to know. This will limit your exposure. It also prevents you from having to provide full login information when a financial institution doesn't have a way of granting read only access of the value, if that account is not relevant to your loan approval.
If more than one person knows something, it isn't a secret.
There is no legitimate circumstance under which you should provide your personal password to anyone. Ever.
Anyone that asks for your password is either scamming you or incompetent.
(This answer is completely independent of the "mortgage lender" in the question. It applies to everyone in all situations.)
EDIT:
"milk" points out that "redirecting to Chase.com (where my password manager automatically filled in my username and password)" could mean that they aren't directly asking you for your password.
Instead, they are asking you to simply prove that you can sign onto your other account to confirm who you are.
This means that the requesting site will not see your password and cannot claim to be you.
In addition to your personally verifying that the information is going to the correct site, knowing that your browser trusted it enough to automatically supply your password is a good indication that the other site isn't spying.
So, what I said above is true in general, but in this case you would be using your password to sign into your account; the other company would not be able to see it. The login simply establishes an identification of you between the two companies.
Brokerage to Mortgage: Confirm identity of person X: ask them to login.
Mortgage to person X: Please login
Mortgage to Brokerage: From now on, when you talk about person X, we'll know who you mean.
It should be safe for you to go ahead.
Terms of Use Privacy policy Contact About Cancellation policy © freshhoot.com2025 All Rights reserved.