Plaid Technologies' public effort to blame Capital One after a security upgrade blocked the data aggregator from accessing customer data appears to have backfired.
Other data aggregators have distanced themselves from the protest, noting they have been unaffected and even speaking out in defense of Capital One.
“CapOne is a leading bank that is highly concerned about its customers’ data,” said Steve Smith, CEO of the data aggregator Finicity. “If they take steps to secure their customers’ data and other aggregators have continued access to that data, then you have to ask yourself what’s really going on there. Aggregators don’t use the same methodology across the board.”
Other data aggregators that experienced similar problems, meanwhile, have said they have resolved issues with the bank. FormFree, which provides mortgage lenders with verification of asset reports that are used as an alternative to borrowers supplying paper or PDF bank statements, alerted users on July 5 it “suspended data feeds from Capital One in response to a data disruption.” The company sent out a note stating the problem will be fixed on Tuesday.
That has left Plaid increasingly isolated since it unexpectedly launched a social media campaign against Capital One in late June in the name of information sharing, urging its customers to fight back on Twitter. Plaid encouraged customers to file complaints to the Consumer Financial Protection Bureau, and then went silent. The aggregator did not comment for this article.
Capital One has maintained that the problems came after a security upgrade. If Plaid failed to comply with new standards, it would create an authentication issue, causing an automatic blockage.
“We will not compromise on security and expect all parties to protect customer data to the same standards that we do,” a Capital One spokesman said.
Far from joining an uprising against Capital One, however, other data aggregators have suggested Plaid erred in its approach to the situation. Brandon Dewitt, co-founder and chief technology of MX, said that if his firm had been cut off by a partner, addressing that issue would start with a phone call. In the worst case scenario, MX executives would “sit down in a conference room together and hammer out any gaps or holes that are present.”
“It’s a super-small community,” he said. “It’s not like there’s 200,000 players you’d have to reach out to. There are a handful of people that are assisting in the committees that are working on governance and security.”
Some suggest the incident points to the need for solving a larger issue: producing one standard for handling data across the whole U.S. financial services industry. In May, three leading data aggregators — Envestnet’s Yodlee, Quovo and Morningstar's ByAllAccounts — united behind a data-sharing framework proposal.
“The system we have currently with bilateral agreements is not sustainable, with uneven consequences for which third parties or financial institutions they use,” said Steven Boms, president of Allon Advocacy and a member of the Consumer Financial Data Rights group.
While there are also efforts to pass a national standard via legislation, it's an uphill battle. Holding out for the equivalent of Europe's General Data Protection Regulation, which required open banking, isn't practical, observers said.
“We have a really unique framework: seven federal regulators and 50 state regulators,” Boms said. “It’s not realistic that there’s going to be some clear prescriptive regulatory actions that mandate a move towards open banking.”
While a common standard for access to data may be a few years down the road, Dewitt hopes to see data sharing protocols to standardize between institutions.
"It’s not necessary we have the same protocol, but it is necessary we have the same governance,” he said. “Fewer than five protocols are going to be out there when we talk about the vast majority of the American public. It will be something that absolutely any organization can go about implementing.”
Finicity’s Smith, whose company has developed more than 16,000 API integrations with financial institutions, said he's confident any aggregator can exist in the current ecosystem. In early July, Finicity became the first data aggregator to sign a data exchange agreement with USAA.
“I go through a very rigorous info security review with each bank,” Smith said. “They come in and review everything top to bottom for our organization. … There has to be a way of ensuring performance in info security. Everybody gets up and starts waving their arms about data access, but the minute there's a major breach, everybody's crying foul.”