Why do banking websites always log you out after inactivity?

It's for your security. This way people can't accidentally stay logged into their account, so anyone with access to your computer has full access to your bank account.

This way thieves don't have motivation to break into your house to steal your computer not just for the value of the computer, but potentially to get access to your life's savings and use it to purchase items, transfer funds out of the country, etc. (Yes, they could break in, install keyloggers, and potentially do the same attack.)

Power gmail users will check their email accounts hundreds of times a day; having to re-log in every time would be overly burdensome. Your bank account you only need to log in rarely; maybe for 10 minutes once a week or month.

The potential repercussions of a stolen bank account is typically more severe to the average user than the repercussions of having your email account stolen.

Not to say that losing your email account can't have severe repercussions as well (especially if you can use your email to reset passwords, use as part of 2-factor authentication, use for social engineering, etc.)


If your bank issues credit cards, it must maintain PCI-DSS compliance.

PCI-DSS requirement 8.1.8 states:

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.


As well as the above answers, it's also to prevent people hopping onto your computer if you're away from your machine.

For example, if Bob signs into his online banking in his workplace, then decides to grab a coffee without locking his workstation first; then anyone could walk past and jump straight into his bank account.

With the X minute expiration/log out, this problem is greatly reduced if Bob gets distracted with other tasks.