Long-simmering tensions between the financial industry and Silicon Valley startups are erupting behind-the-scenes into a battle over the reams of valuable data held inside Americans’ bank accounts. In recent months, major banks including J.P. Morgan and Capital One have led the industry into a fresh campaign to control how outsiders tap into sensitive customer information. The lenders say their highest priority is protecting consumers.
Yet, executives at a number of Silicon Valley ventures say they’ve been threatened by banks with being blacklisted if they don’t agree to strict new terms. They claim consumers are being constrained in using their own data to better manage their money.
“Giving consumers the ability to safely permission their data so they can use these services isn’t just a nice to have, it’s an imperative,” said Sima Gandhi, head of business development and strategy at Plaid Technologies Inc., which gathers data from banks on behalf of apps.
The fight has implications for thousands of so-called fintech startups aiming to disrupt parts of the traditional financial world. The competition is fierce. There are almost 2,300 fintech apps in the U.S., offering help with budgeting, investing and payments, according to market research firm Venture Scanner. Many rely on access to users’ bank records. Getting locked out can kill their business.
Financial firms have long warned that not all apps are trustworthy: They may collect more data than they need, store it insecurely or sell it to third parties. Even worse, banks fret about what would happen if an app were hacked, exposing account numbers and passwords and opening the way for looting. Banks argue apps would be liable, but they may not have the cash to make victims whole.
The solution proposed by a growing number of banks is to use APIs, which restrict how much and how often apps can tap information, while also setting contractual limits on what they can do with it later. Some apps are signing up, but others are objecting. They complain about APIs that offer too little, too slowly. And they argue that customers — not banks — are the rightful owners of financial data and can decide how to share. Some apps that balk instead try to mask their IP addresses, engaging in a digital game of cat and mouse with banks.
To access account records directly, apps typically start by asking customers for their bank username and password. They then log on and gather information through a process known as screen scraping. Banks say that strains their systems, often amounting to more than half the traffic on their websites. Consumer advocates laud apps that help people save money, manage budgets and avoid unfair fees. But those focused on privacy still tend to side with the banks, worried that apps might abuse or lose people’s most valuable data.