Is a new data war about to erupt?
Just when it looked like banks, fintechs and data aggregators had reached a truce over the sharing of customer data, a new spat is threatening to resurrect points of contention.
Some PNC customers that use Venmo have been complaining on Twitter that their use of the person-to-person payment app has been blocked by their bank.
Yet PNC, PayPal and Plaid, PayPal's data aggregator, have very different stories about why this is happening.
Following is a look at who is saying what, and what it could mean for the larger debate.
PNC says it has seen fraud related to some data aggregators
In PNC's view, the issue relates to attempted fraud connected with data aggregators.
“A number of months ago we started to see that certain aggregators were circumventing our security controls and as a result, there was fraud occurring on customers’ accounts,” said Karen Larrimer, executive vice president, head of retail banking and chief customer officer of PNC Financial Services Group.
Larrimer declined to share what the nature of the fraudulent activity was but clarified that the aggregators were not engaging in fraud themselves, but allowing an access point for fraudsters.
The bank added a one-time password — a temporary code sent to the customer’s smartphone — to help prevent fraudsters from committing account takeover. It also began requiring customers to type in their account number to access their account and created a web page with instructions for how to do this.
Both steps prevent data aggregators from logging in on behalf of the customer and screen scraping their bank account data.
Larrimer acknowledged that this has blocked some Venmo users from making payments.
“We're sensitive to anytime you disrupt the consumer in a process and we know we want to make things as easy as possible, but we feel that that protection is more important than adding an extra step into a process that may slow somebody down,” she said. “It's more important to secure them and maybe cause a moment or two or frustration than it is to enable something that isn't secure online.”
Some see darker motivations
The dispute, however, has not stopped some from suggesting PNC has ulterior motives for interfering with the workings of Venmo. PayPal, Venmo's parent company, declined a request to discuss the situation, but directed American Banker to an article that suggested PNC is trying to get customers to switch from Venmo to Zelle.
PNC's Larrimer vehemently denies this.
“Unfortunately, that is the spin some articles have taken and it is absolutely not true from PNC's perspective,” Larrimer said. “Some publications picked up one of our tweet sessions and the rep on the other side after the end, after troubleshooting with the customer, mentioned Zelle as another alternative. It is absolutely not our intent in any way, shape or form to use this as a way to promote Zelle.”
Larrimer said the bank has no problems with PayPal nor with the Venmo app.
“Venmo is not really an issue, we have a good relationship with PayPal and we're helping consumers get connected through Venmo,” Larrimer said.
Plaid insists there is no security issue with its data aggregation
Plaid, Venmo's data aggregator, meanwhile, insists it's not to blame for the disruption either. It says it has been talking with PNC for more than a year, encouraging the bank to improve its security by using one-time passwords with Plaid, as other big-bank partners do to avoid fraud.
"People should be able to connect their financial data with the apps they want," said John Pitts, head of policy and advocacy at Plaid. "Most banks agree and work with us to safely enable that. We are ready to work with PNC and would like to be able to restore access quickly."
The data aggregator objects to the practice of making customers type their account number directly into an app, which slows down the process considerably.
PNC has other concerns with data aggregators
But PNC's issues with aggregation don't just relate to fraud.
“Some aggregators are going in and scraping all the information that you have in your banking relationship, not just on the one account you gave them access to,” Larrimer said. “Once they're in your accounts and into your relationship, they can see everything, they can scrape everything, and they can do that multiple times a day. They're storing that data, consumers don't know where they're storing it, and they keep it indefinitely, including once you choose to shut down your app.”
Some aggregators continue collecting customers’ bank account data every month even if the customer never uses the fintech app, she said.
“We feel, and surveys support this, that consumers do not understand this,” Larrimer said. “They do not know what information is being gathered. They don't know where it's being stored, they don't know how it's being used, they don't know the life of it.”
PNC wants to enable consumer consent, she said.
“We want these aggregators and fintechs to be more transparent about what they're doing with customer information,” Larrimer said.
PNC also objects to the way data aggregators represent the bank on their apps.
“When you get into some of those apps, you will find that all of the banking logos are out there, including the PNC logo,” Larrimer said. “When a consumer clicks on that, that is not PNC. That alone caused people concern.”
PNC has never given Plaid permission to use its logo, “nor do we believe that a consumer understands that it's not PNC’s website they're hitting,” she said.
Can they work it out?
PNC would like to set up a secure data exchange agreement using the Oauth standard for authentication, Larrimer said.
“We want to get to the point where we have APIs between PNC and Plaid in an open banking arrangement, and we've been trying to work with them on that for months now,” Larrimer said. “We have those in place with other aggregators, some in place, some in progress of being in place, and we have not been able to get there with Plaid.”
Issues around consent and security have gotten in the way of coming to agreement, she said.
“I agree that customers should be able to use whatever apps they want to use,” Larrimer said. “They should be able to share whatever data they choose to use. But the clarity of the disclosures and the consumer consent to actually know what data they're providing should be much clearer than it is today.”
PNC would also like to start tokenizing account numbers, so that the exchange of that information is more secure.
Plaid is also working on tokenizing account and routing numbers, as is The Clearing House. Plaid already has forged secure data access agreements with JPMorgan Chase and Wells Fargo.
"We've invested resources in building relationships with the biggest financial institutions and also small financial institutions and credit unions," Pitts said. "We meet with the OCC, the CFPB, the FDIC and the Federal Reserve on a regular basis to share what we are doing and how we engage with banks. “
Do regulators need to intervene?
Disputes like these are likely to continue for some time until regulators provide guidance around these questions, according to Steve Boms, executive director of the Financial Data and Technology Association of North America, which has several data aggregators in its membership.
“There is significant potential for anti-competitive behavior in this space given the financial relationships between parties,” he said. “A financial institution should not necessarily be given the opportunity to make the decisions about what third parties and customers should or should not be able to use. Its incentives are not always in the best interest of the customer, which is why you need to have some type of neutral arbiter enter the system and identify where issues really are security based and where they are commercially motivated."
That neutral arbiter would most likely need to be a regulator like the CFPB.
Boms would like to see regulators clarify that customers’ data belongs to the customer and they should have the ability to transmit that electronically to a third party of their choosing.
“Regulatory engagement is the only answer that leads to an even application of consumer rights and protections,” Boms said. “From a market perspective, that's the easiest and quickest way to do it.”
One issue that often arises between data aggregators and banks, Boms said, is a lack of data parity.
“If the financial institution is going to effectively block tools in some cases where the bank has a competing interest or an interest in a competing product, how is that the right outcome for consumers?”