JPMorgan Chase moves to block fintechs from screen scraping

JPMorgan Chase plans to block fintechs from screen scraping — obtaining usernames and passwords of customers, logging in as them, and copying and pasting their account information into a database.

Banks have argued for some time that screen scraping is a fraud hazard because it can be hard to distinguish these robo logins from hackers. Some, including PNC Financial Services Group, have recently said they have discovered evidence that fraudsters are taking advantage of third parties' screen-scraping practices. Banks also say they do not want their customers giving out their usernames and passwords to third parties because of the security risk.

“This is the latest phase of our strategy to help protect our customers’ financial data and give them more visibility and control as they use financial apps,” Bill Wallace, head of digital at JPMorgan, said in an emailed statement. “Using a token and our AccountSafe dashboard, our customers will be able to see what information is being shared and manage who they share it with. They won’t have to give out their password and can revoke that access anytime they want.”

The bank shared a screenshot of the AccountSafe dashboard:

Bank of America, Citigroup and Wells Fargo have created similar dashboards.

PNC began blocking screen scrapers a couple of weeks ago. The bank’s head of retail banking and chief customer officer, Karen Larrimer, said in an interview that the bank had begun observing “that certain aggregators were circumventing our security controls and as a result, there was fraud occurring on customers’ accounts.”

The bank added a one-time password — a temporary code sent to the customer’s smartphone — to help prevent fraudsters from taking over accounts. It also began requiring customers to type in their account numbers to access their accounts and created a webpage with instructions for how to do this. Both steps are meant to prevent data aggregators from logging in on behalf of the customer and screen scraping their bank account data.

When Venmo users began complaining that they could not use the mobile payment firm's app, they were instructed to go to Venmo’s website and link to their bank accounts from there.

JPMorgan's method is different. The bank has forged data-sharing agreements with major data aggregators including Plaid, Intuit, Finicity and Envestnet Yodlee. Through these agreements, it shares customer data directly through an application programming interface. The aggregators pass the data along to the fintechs they work with, eliminating the need for the fintechs to obtain customers’ usernames and passwords. JPMorgan is working to migrate these companies to its token-based approach. Plaid works with 3,000 fintechs including Venmo, and Envestnet Yodlee works with 1,200.

Consumer advocacy groups and the Consumer Financial Protection Bureau have endorsed efforts like these to give consumers more control over their financial data.

Some wonder, however, if these data-sharing agreements between the largest banks and data aggregators will leave two kinds of players out in the cold: small banks that lack the resources to write their own APIs (estimates are that it costs around $500,000 to develop an API) and fringe fintechs that do not work with aggregators.