[phoenixy1]

This is a common belief, but the CFPB has stated your bank is still legally required to make you whole in the event of fraud even if you handed over your username and password to a third party, and that any bank TOS stating otherwise are not valid. This is covered on the CFPB Electronic Fund Transfers FAQ, under the Error Resolution: Unauthorized EFTs, Question 8: https://www.consumerfinance.gov/compliance/compliance-resour...

[lxgr]

In Germany, there was a similar antitrust-based ruling, but it even went further: They disallowed banks to block screen scraping services, as they considered the existence of screen-scraping-based confirmed instant bank transfers a valuable competitor to the (bank-led) card payment schemes.

In retrospect, they were maybe right on the competitive part, but the data privacy impact was disastrous.

[gavinsyancey]

Sure, but if my bank's ToS says it's not their responsibility then their customer service agents will probably say the same thing, and it's going to be a lot harder to get them to take responsibility even if they are legally required to. But thanks for the info; that's good to know.