Privacy and Security

Your Security and Fintech Apps

We know how much you value safety, security and transparency when it comes to the use of your data.

Third-party (non-TD) financial technology (fintech) apps and data aggregators may ask you to share information from your digital bank accounts to provide services that may help you manage your money, invest, borrow, and send money.

That’s why we want to help you understand how fintechs and data aggregators use your data and how you can protect yourself.

How fintech apps access your data: APIs vs screen scraping

  • API-based data sharing 

    Many fintech apps use data from financial institutions, like TD, to offer products and services. These apps – or the data aggregators they work with – ask for your permission to access specific digital bank account information.

    After you provide authorization, the fintech app retrieves only the information needed to provide its services, such as balances or transaction details; this is designed to keep you in control of your data.

  • Screen-scraping

    Some fintech apps work with data aggregators who may ask you to provide your online banking credentials directly to them (instead of bringing you to a TD authentication page to login). If you provide a data aggregator with your online banking credentials, they may use a robot or other automated process—known as screen-scraping— to access all your online banking information.

  • API-based data sharing vs screen-scraping

    API-based data sharing lets you share your financial data more safely with third-party apps and services, using API-based connections.

    Screen-scraping relies on you sharing your online banking login credentials with a third party who will then login on your behalf, and will have access to any data available for use.

  • Risks of screen scraping

    When you share your online banking login credentials with data aggregators that leverage the screen scraping technique to share data, you are giving these apps the digital keys to your account; they will be able to see everything you can see when you log in to your online account, which may include your name, address, phone number, account numbers, transactions and other sensitive information. Therefore, TD will not be responsible for any loss, harm, or damage that results from your sharing of your online banking login credentials.

Steps you can take to remain vigilant

  • Questions to ask before using a fintech app 

    • What type of data does the aggregator (or the company used by the data aggregator) collect when accessing my bank account?
    • What security practices are in place to protect my data?
    • Who is responsible for any security/data breaches or unauthorized charges that may occur, and will they be able to reimburse me for losses?

  • Info to look for when you're signing up

    • Familiarize yourself with how collected data will be stored, and for how long before consenting
    • Understand how you can revoke consent
    • Learn how your data will be used and if your data is being sold to, or shared with, additional parties

  • How to monitor your fintech app

    • Monitor your accounts and transactions regularly for any suspicious activity that you did not initiate or authorize
    • Opt-in to receive account and security alerts via text or e-mail on all your TD bank, investment and credit card accounts
    • If you stop using a fintech app or service, change your TD online banking password and disallow the connection by logging in to the fintech app and revoke access to your account(s) before you delete the app
    • For fintech apps connected by API, you can revoke your authorization to share data by logging in to EasyWeb: click here to learn how to revoke authorization for third-party apps with access to your TD account information.

API-based data sharing lets you authorize trusted third-party apps to access specific financial information through protected connections.

These connections do not require you to share your banking credentials. The process enhances your privacy and security while giving you control over who can access your information.

If you provide a fintech with your online banking credentials, it will have access to all of your online banking information. Many aggregators use a robot or other automated process—also known as screen-scraping—to log in as you and collect your financial and personal information. You should check the terms and conditions of the app carefully to determine how they intend to use the data.

While API-based connections help protect your banking credentials and limit access to necessary information, it's important to understand how third-party apps or their data aggregators use and manage your data. Always review the app's terms and privacy policies to ensure they align with your expectations. Additionally, monitor your account activity regularly to stay informed about how your data is being used.

Yes. Providing a fintech app with consent to access your financial information allows the app to retrieve specific data you've approved. While TD provides API-based connections for sharing data, we cannot control how third-party apps, or their data aggregators use or manage your information. It's important to choose apps you trust and regularly review their terms and privacy policies to ensure they align with your expectations.

For apps that access your data via screen scraping, when you share your username and password with these fintech apps, you are giving them the digital keys to your account; they will be able to see everything you can see when you log in to your online account, which may include your name, address, phone number, account numbers, transactions and other information. When you share your information with fintech apps, TD will no longer be able to maintain its privacy and security. We also will not be able to control the purposes for which it is used or with whom it will be shared. Therefore, TD will not be responsible for any harm that results from your use of their services.

You can identify if a third-party app is going to access your data through an API by checking if they ask you to log in to your TD account by redirecting to a TD login page. You can also read the terms and conditions before signing up. 

To verify you are logging in with TD when using a third-party app, check the site's URL located in the address/location bar of your browser and confirm it starts with https://authentication.td.com or https://onlinebanking.tdbank.com. If it doesn't, then you may be interacting with a third party and not TD.

If an app uses an API-based connection, you can revoke access by logging into your TD online banking account linked to the third-party app. From there, navigate to the Manage Linked Services section to review which accounts are shared, adjust permissions, or unlink the third-party app entirely. This ensures you stay in control of your data and can update access as needed. 

Read our tutorial on revoking access for third-party apps on EasyWeb

You can identify if a third-party app is using your credentials to screen scrape your account data by checking if they ask you to log in to your TD account within their own app/website instead of redirecting to a TD login page. 

To verify you are logging in with TD when using a third-party app, check the site's URL located in the address/location bar of your browser and confirm it starts with https://authentication.td.com or https://onlinebanking.tdbank.com. If it doesn't, then you may be interacting with a third party, not TD.

You can also read the terms and conditions before signing up.

If the app uses screen-scraping to share data, you won't be able to revoke access through TD Online Banking. Instead, you can revoke access by changing your EasyWeb password or by doing so directly within the third-party app.

When you link a third-party app to your TD account, only the data needed to provide the app's service is shared. This may include:


Personal and account holder information: Your name, address, email, phone number, and similar details of any other account holders.

Account information: Account names, types, nicknames, and partial account numbers. 

Transaction details: Balances, transaction history, and rewards.

No, only accounts associated with the login credentials you use to authorize the connection can be linked. This ensures you have full control over which accounts are shared and managed through the third-party app.

When using a fintech service, you may be opting to have one or more third parties maintain, use and store your sensitive information, which may include your account numbers, usernames, passwords and other information. If your sensitive information is not properly protected, fraudsters could easily gain access to it and use it to commit fraud against you. This could include accessing your online accounts and moving your money. While aggregating your personal information in a single location may offer potential benefits such as a clearer picture of your overall finances, it also increases fraud and security risk.

Your responsibility when using fintech apps

Understand your responsibilities—as well as the risks—before sharing your sensitive and confidential financial information with third parties.

When using a fintech app, you may be providing your confidential TD username and password directly to third parties over whom TD has no control. Please be aware that the sharing of your TD credentials is contrary to the terms of our TD Online Banking Agreement, and TD will not be responsible for any harm that results from the sharing of your credentials.

Privacy and security resources