[Edited 2019/09/02 to link to a Reuters article that further corrobates my position]

Mint and Personal Capital are both services that can link to your online accounts to track your spending and net worth. To accomplish this, you must provide Mint and Personal Capital the username and password to your bank accounts.

Some Banks Will Tell You You're Liable for Fraud

Some banks will state in their online services agreement that you are liable for fraudulent transactions on your account if you reveal your username and password to a third party. For example, Chase says

If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure. If you permit any other person(s) or entity, including any data aggregation service providers, to use the Online Service or to access or use your Card numbers, account numbers, PINs, User IDs, Passwords, or other means to access your accounts, you are responsible for any transactions and activities performed from your accounts and for any use of your personal and account information by such person(s) or entity.

[Emphasis added]

Federal Reserve Regulations Say These Banks are Wrong

Federal Reserve regulation E prevents banks from increasing consumers' liability for fraudulent transactions even in the case of consumer negligence.

  1. Consumer negligence. Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible under Regulation E. Thus, consumer behavior that may constitute negligence under state law, such as writing the PIN on a debit card or on a piece of paper kept with the card, does not affect the consumer's liability for unauthorized transfers. (However, refer to comment 2(m)-2 regarding termination of the authority of given by the consumer to another person.)

Any institution can write whatever they want into their terms of service, but it doesn't mean it's actually enforceable.

For further corroboration, a Reuters article confirms this[1]

The rules say that customers’ negligence - such as writing a PIN on a debit card - does not increase their liability.
A customer would be on the hook for unauthorized transactions if she gives her card or credentials “and grants authority to make transfers to a person (such as a family member or co-worker) who exceeds the authority given,” the rules say. Customers are fully liable for the transfers until they notify the financial institution that the person is no longer authorized to use the account.
That is the passage that Chase and other banks point to when warning people they may be liable if they share credentials with a third party.
But Lauren Saunders, associate director and managing attorney of the National Consumer Law Center, calls the banks’ position “ridiculous.” Sites such as Mint collect data about transactions but typically are not authorized to make transactions, said Saunders.


  1. Reuters ↩︎