Vancity Terms & Conditions: something to consider before linking your Vancity accounts to YNAB (or any other third-party budgeting app)
Hello fellow YNAB users who have accounts with Vancity,
I was about to send a request to YNAB to troubleshoot linking my Vancity accounts, when I came across this discussion in another forum: Canada calls screen scraping ‘unsecure,’ sets Open Banking target for 2023
A quick scroll revealed this very interesting tidbit of information: "...The TOS of your online banking probably says that if you disclose your username and password to any third party then you have no liability protections."
So, out of curiosity, I checked Vancity's Account and Services Guide, and sure enough... section 3.13 reads:
(c) it is your choice whether or not to use Third Party services, and if you choose to use such services, you assume all risks associated with accessing or using the services, including all risks and liabilities arising from any collection, use, or disclosure of your personal information or arising from any unauthorized access to or use of your Account.
In other words: heaven forbid there's a security breach with Plaid (or any other third-party that is used to link your account to YNAB or other similar services). If money is stolen from your account as a result from that breach, you're on your own. This also applies to other financial institutions.
Plaid themselves state the following through their site:
"Alternatively, in some circumstances, we may ask you to provide your login details to access your account information from your payment account [that's the case with Vancity], and we will then use those details to directly access and retrieve information from your payment account provider."
So check your bank's legal agreement before linking your bank accounts, and assess how comfortable you are with that risk.
And keep in mind that Plaid is not a Canadian company. As far as I know, your data is not stored in Canada, meaning that you're not protected by Canada's privacy laws.
Given all this -- especially the bit about liability coverage-- I'll just stick with file imports. It's a pain in the neck, sure... but, personally, I find the risks far outweigh the convenience.
Thanks for sharing what you've found at your bank!
I'm hopeful that with Open Banking being the future, banks will have sorted out how to provide view-only access instead of other types of access. You might find banks with OAuth connections, for example, to not have these type of terms.
While you're digging in, you can find YNAB's security policy here.