The nation’s banks are locked in a bitter fight with upstart technology companies over the control of their customers’ financial data — and the consumers whose personal information is at stake are mostly spectators.
JPMorgan Chase, PNC and other major lenders are threatening to limit the access of middlemen that are hired by financial apps like Venmo and Betterment to grab customers’ account information from the banks’ websites. The banks warn that financial information is less secure in the hands of these data aggregators, a worry shared by federal investigators, and that there are few controls over the sale of the information to third parties like hedge funds.
For their part, financial technology companies argue that giving banks a tight grip over the flow of information will allow the big lenders to snuff out new competitors and make it harder for customers to compare rates and prices for different services.
The ability to maintain access to that data is so valuable that the powerful middlemen, which work on behalf of thousands of financial apps, are doing something that companies almost never do: asking the government for more oversight to prove that they are responsible handlers of sensitive data.
“Data is the new oil,” said Linda Jeng, a senior fellow at the Georgetown Institute of International Economic Law and a former Federal Reserve official. “If you have access to data, then you have the ingredients to build better services.”
The conflict is part of the existential challenge that the fintech upstarts are posing to banks and their record profits as they increase the speed and convenience of transferring money or getting mortgages approved. Much of the battle is over information, and it has escalated in the absence of government rules establishing that customers themselves control their own personal data, as in the European Union.
The dispute, brewing for some time, is now spilling out in the open. JPMorgan Chase is making moves to cut off the ability of data aggregators to obtain customer data without the bank’s consent.
The middlemen — called “screen-scrapers” because of the way they get the data — include Plaid and Yodlee, which most payment app users might not even know exist. They use a consumer’s bank username and password to pull account information, a right that people sign over to the digital payments companies when they do business with them, giving the aggregators the ability to grab more data whenever they like.
The aggregators have access to any data that the customer can see when they log on to their bank’s website — account balances, transaction data, mortgage information.
JPMorgan wants to require companies to negotiate a standardized set of data fields that they can request. In December, it reached a deal with Yodlee to that end and has previously struck agreements with other aggregators. “We want to protect our customers’ financial data while giving them more visibility and control when using the financial apps,” said Paul LaRusso, managing director of digital platforms at JPMorgan Chase.
Meanwhile, PNC has already started restricting the information that aggregators like Plaid can get using customer-provided login information.
“PNC’s goal is to accommodate our customers’ choice to connect to the fintech apps they want to use while also ensuring that those connections are made safely and securely,” said Karen Larrimer, PNC’s head of retail banking.
“Based on a recent increase in fraud, where we were able to trace back a connection to fintech apps powered by data aggregators, PNC is requiring additional security steps,” she added, which might force customers to provide information directly to some apps.
The Pittsburgh-based bank, in tweets in October, encouraged customers who had been cut off from Venmo to instead use Zelle, a Venmo competitor owned by multiple banks — including PNC.
Aggregators, in an effort to increase their leverage in the tug of war with banks, are asking the Consumer Financial Protection Bureau to step in and supervise their operations to certify that they’re using data appropriately; right now, the data held by aggregators are subject to few privacy-related restrictions. That has given them the opening to sell the information to third parties, fueling more calls that they be reined in.
Yodlee in particular has been under fire from lawmakers like Sen. Ron Wyden (D-Ore.) for not adequately notifying consumers that it’s selling their information to third parties. The company, owned by Envestnet, says individual customers cannot be identified within the aggregated data it sells.
Plaid says it does not sell customer data.
“One of the key tenets of an open finance ecosystem is oversight of all participants,” said Steve Boms, executive director of FDATA North America, which represents aggregators that provide services for roughly 100 million consumers and small businesses. “At a minimum, oversight of these third parties [by the CFPB] we think would be a key foundational element of open banking,” or financial data sharing.
In exchange for more oversight, aggregators can be trusted with a broad scope of data, Boms said.
Other major aggregators include Intuit, which uses screen scraping for internal products like TurboTax and Mint, and MX, which also allows fintech apps to hook into data from multiple aggregators.
In other jurisdictions like the EU, government policy around open banking is much more settled. Experts say the U.S. is kind of a Wild West, where it has been up to the companies involved to determine how to handle the data.
“We think bank account data can be used for helpful purposes and want to see safe methods of sharing that data,” said Lauren Saunders, associate director at the National Consumer Law Center. “But we are concerned about overbroad uses of consumer data and security issues.”
Bank regulators like the Office of the Comptroller of the Currency don’t have the same ability to oversee aggregators as they would over companies specifically contracted by banks to perform an outside function because the banks usually don’t have a formal relationship with those aggregators.
But there’s a legal gray area as banks have a responsibility to protect their customers’ data and may worry about liability in case a customer’s bank account information is stolen from an aggregator.
“It’s not clear who would be responsible for making the customer whole,” said Jeng, the former Fed official. “It should be the data aggregator that suffered the breach, but they are not required by law to provide financial remedies and may not have the resources to do so either.”
Ken Blanco, the director of the Financial Crimes Enforcement Network, a bureau of the Treasury, underscored the danger in a September speech.
“FinCEN has also seen a high amount of fraud … enabled through the use of synthetic identities and through account takeovers via fintech platforms,” Blanco said. “In some cases, cybercriminals appear to be using fintech data aggregators and integrators to facilitate account takeovers and fraudulent wires.”
“By using stolen data to create fraudulent accounts on fintech platforms, cybercriminals are able to exploit the platforms’ integration with various financial services to initiate seemingly legitimate financial activity,” he added.
The CFPB has not made a move to further regulate this area since putting out a basic set of principles in 2017, although the agency will hold a Feb. 26 symposium on “Consumer Access to Financial Records.” Regardless, even the CFPB might have limited authority to put in place sweeping rules on data privacy in the absence of more guidance from Congress.
A large private-sector development could shake up the competitive dynamics of the fight: Visa’s pending acquisition of Plaid for $5.3 billion, a move that would give the payment card company an even heftier chunk of data. Under the terms of the deal, Plaid is supposed to operate independently within Visa.
For now, both sides have been tussling behind the scenes; occasionally banks will break aggregators’ connections, disrupting customer access to associated apps.
“Banks monitor the traffic and the screen scraping that’s occurring,” said Heather Hogsett, senior vice president for technology and risk strategy at the Bank Policy Institute, a trade group for large lenders. “Sometimes, if the source can’t be identified or if it looks like a malicious actor or cyberattack, they will cut it off to protect their customers.”
In an effort to resolve the disagreements, a wide range of financial industry participants have formed a group called Financial Data Exchange. Its aim is to negotiate “application programming interfaces” — a standardized set of data fields for a given purpose — something that would no longer require apps to ask customers for their login information or for aggregators to “scrape” the information from an account.
The Clearing House, a payments company owned by big banks, has also put out a model agreement that the industry can use to reach data-sharing agreements.
But it could take a long time for the entire financial industry to reach a point where APIs are so widespread that screen scraping is obsolete.
“We all realize this is the future,” said Don Cardinal, managing director at FDX. But “if we rush to an artificial deadline, when you’re dealing with people’s data and privacy, that’s usually not a good combination.”