Several large U.S. banks have recently revamped and tightened their third-party data sharing practices, affecting the way some fintechs conduct business with their customers, and several industry experts say the trend is expected to grow in 2020.
A recent security upgrade at Pittsburgh-based PNC Financial Services Group kept data aggregators from gaining access to customers' account numbers and routing numbers last fall, and last week JPMorgan Chase announced it will ban third-party apps from accessing customer passwords. The U.S.'s largest bank said it plans to issue tokens for access to a limited amount of data in a secure form.
"As more banks begin to announce improved security practices, we can expect to see a snowball effect," Ray Walsh, a digital privacy expert at ProPrivacy.com, told Banking Dive. "Competing services that exploit account numbers and other sensitive customer data have created a new understanding among banks that the unmanaged dissemination of customer data may actually pose a risk to their bottom line."
More banks follow suit with their own heightened levels of security, Walsh said.
"Due to the evolving nature of privacy legislation and increasing fines for data mismanagement, the banking industry is beginning to take data privacy much more seriously," he said. "This will improve privacy and security levels for consumers, which is highly positive. However, it may also be exploited by banks to restrict the number of services consumers can freely attach their account to, perhaps forcing consumers to use similar native services provided by their bank instead."
When PNC's security upgrade prevented customers from connecting their bank accounts to the peer-to-peer (P2P) payment platform Venmo, some customers were annoyed with PNC's directive to use Zelle instead. Zelle is owned by a consortium of the nation's largest banks, including PNC.
PayPal, which owns Venmo, suggested the bank was limiting customer choice and took to Twitter to suggest users voice their complaints by tweeting: "Hey @PNCBank…Let me use the financial service apps I need!"
In an interview with the Financial Brand, Karen Larrimer, PNC's head of retail banking and chief customer officer, downplayed reports that the bank was purposely blocking apps such as Venmo in favor of Zelle.
"We want customers to be able to use whatever fintech app they want to use," she said. "And we want to enable that. So that's not what this is about. What we are really looking to do at PNC is protect the security of our customer accounts and nothing more."
Security and revenue
JPMorgan Chase has called the decision to eradicate password-based access by third-party apps a security issue. CEO Jamie Dimon has warned about the risks of data sharing for years.
"Many third parties sell or trade information in a way customers may not understand, and the third parties, quite often, are doing it for their own economic benefit — not for the customer's," he wrote in a 2016 letter to shareholders. "Often, this is being done on a daily basis for years after the customer signed up for the services, which they may no longer be using."
Mark Flamme, head of digital for financial services at consulting firm AlixPartners, told Banking Dive he expects to see banks continue to clamp down on access to their data, a trend that is likely to accelerate in 2020 for several reasons.
"Banks have begun to embrace [application programming interfaces] to enable access to their data, which allows them to control the data shared, charge for certain types of data access, and offer better protection to the data by ensuring minimum security standards," he said. "In a continued low interest rate environment, the monetization of data and data access is an attractive revenue stream opportunity for banks."
A regulatory push for data security and privacy, coupled with continued public scrutiny of how big tech companies misuse personal information, suggests likely support from agencies and individuals for banks to tighten data access, Flamme said.
Regulators and lawmakers have put Facebook under a microscope in recent years. The social network's poor track record of handling user data took center stage during a Senate Banking Committee hearing in July, where lawmakers grilled the company over its cryptocurrency ambitions.
Legacy at stake
Sam Maule, managing partner for North America at fintech consultancy 11:FS, told Banking Dive he expects to see other financial institutions follow JPMorgan Chase's lead and implement their own tokenized password systems for fintechs.
"Instead of having a million different access points, [Chase] is shifting that risk to one or two," he said. "If I'm a fintech company and I want to have access to customers' details at Chase, I'm using Plaid or Yodlee and the token that Plaid or Yodlee is managing for me, so that they're narrowing that risk down. It's not a terrible move. It's definitely an interesting one.”
Aggregator Yodlee was the first company to agree to use tokens for all of its interactions with Chase, and Plaid has signed up to start using tokens, according to the Financial Times.
As more banks partner with third-party providers, John Mitchell, CEO of financial technology provider Episode Six, told Banking Dive he expects to see a continued push to maintain and own the customer's underlying data.
"Banks will push to maintain status as the primary source of value with customer relationships," he said, adding that banks stand to lose their legacy relationships with customers in the event that a third-party provider is compromised. "Overall, as bank tech catches up to fintechs and as they continue to focus on building innovative solutions for their customers, these decisions may become more common."