The battle over bank customer data may finally be over

Register now

The tug-of-war between fintechs and banks over customer information may finally be ending.

For the past few years, fintechs have argued they need to access bank customer account data to provide services like online loans, personal financial management and savings apps. Banks have been cautious about providing such information and unhappy with how fintechs have grabbed it by logging in with customers’ user names and passwords.

But there are signs of a resolution in sight.

"Over the course of the past nine months in particular, the flywheel is starting to spin," said Brett Pitts, who is head of digital for Wells Fargo virtual channels. "We've been talking about a lot of the mechanics, plumbing, and cross-industry dynamics that are important and we've made some progress. There’s a whole lot more progress to make."

In the past year, Wells has signed data-sharing agreements with Intuit, Xero and Finicity.

On Monday, it will announce two more, with Expensify and PointServ.

The Expensify agreement will make it easier for Wells Fargo credit card customers who use Expensify to report monthly business expenses. Wells Fargo and Expensify will use an application programming interface to share monthly expense data.

Under the PointServ agreement, when a Wells Fargo customer applies for a loan with a mortgage company that uses PointServ software to gather financial documents, a Wells Fargo API will deliver customer statements and bank account activity to PointServ.

"The more agreements we reach, the faster this moves. Because we and our partners continue to have a more sophisticated understanding, a shorthand, and a vocabulary — we’re more intellectually aligned on this than when we started out," Pitts said.

Other industry leaders also see momentum building as a result of the Consumer Financial Protection Bureau's data-sharing principles and increased communication among financial firms, aggregators and fintechs that lead to legal agreements through which banks share customers' account data, typically via an application programming interface, with details around data use, consumer consent and liability all hammered out by lawyers.

"We've come a long way over the past year or two, starting with the CFPB's request for response in January," said Becky Heironimus, vice president of enterprise digital products and data connections at Capital One. "The fact that we're talking about it is a huge step forward. The fact that the CFPB published guardrails is a huge step forward. We're going to need to keep the conversation going as technology changes."

Capital One and Intuit announced a data-sharing agreement Oct. 31 that will let bank customers who use Intuit products like QuickBooks Online, Mint, and TurboTax import their financial data without sharing login credentials. This is the bank’s fourth agreement to use the Customer Transactions API it launched in 2017; the others are with Abacus, Xero and Expensify.

Sharing data through APIs, rather than so-called screen scraping, relieves fintechs of the worry that a bank will block them from accessing customer data.

The use of APIs assures banks that their customers are not giving their online banking credentials to unvetted third parties, that customer data is being kept secure, and that their servers won't be overwhelmed with third party screen-scraping activity. It also opens up the possibility of offering new products using external data.

For instance, Wells Fargo is developing a product called Control Tower that lets consumers review all the places to which they have linked a Wells Fargo card or account — magazine subscriptions, gym memberships, monthly commuter tickets and such — and manage those links.

"Control Tower is a good illustration of one of many things that are possible as we do a better job of hooking up the plumbing on the back end," Pitts said.

Bankers, fintechs and aggregators say the data-sharing principles the CFPB released in mid-October have helped.

We are very aligned with the CFPB principles,” Heironimus said. “As a company, we're 100% focused on ensuring that we have a secure, transparent way for our customers to access their data where they're in control.”

Pitts said the CFPB guidance reflects conversations the bank has had with fintech partners and the consumer bureau.

“A lot of the principles are consistent with what we've been saying over the past couple of years: that consumers should have transparency, visibility and the right to control access to their data as they see fit,” Pitts said. “That they ought to be able to identify who's accessing their data and what they're using it for. If there's disputed access, they ought to be able to easily resolve that. That all parties involved have to maintain accurate and highly secured data pools and need to have the right level of accountability.”

The CFPB’s discouragement of screen scraping is especially welcome to bankers.

“We can all agree there are concerns with customers handing over their credentials,” Heironimus said. “And it is hard for the third party to leverage screen scraping when sites are constantly changing.”

In addition to urging banks to share customer account data and fintechs to not screen-scrape, the CFPB principles call for providing informed, understandable consent to consumers about how and where their data will be used. This suggests not relying on, say, a 16-page terms and conditions document that is likely to go unread.

Beth Brockland, managing director of the Center for Financial Services Innovation, heralded this clause in an American Banker opinion piece: “Terms of use and privacy policies are rarely written with consumers in mind,” she wrote. “However, the same care that companies put into designing the user experience in products should also be applied to disclosures and communication related to data access.”

Heironimus said this is easy to do.

“We have implemented it and we're excited to see the CFPB making it a priority, because that matters to our customers,” she said.

Consent should be detailed, so the customer can consent to the specific data fields and accounts they’re willing to share and the use cases for which that information is used.

“It's also important that customers have the ability to revoke that consent at any point in time,” Heironimus said. “That gives them a feeling of control over their data.”

Some customers want to share balance information but not transaction information, Pitts noted. They might want to allow automatic payments in some situations but not others. They need to be given options but not overwhelmed with choices. And the consent needs to be ongoing, because people's preferences change over time.

The Consumer Financial Data Rights group has complained that bilateral agreements between banks, data aggregators and fintechs are too restrictive and leave smaller companies out.

Pitts said that now that more agreements have been signed, there may be a chance to go beyond bilateral agreements.

“We're hoping now that some of the heat has come out of the accusations of two years ago, we can all move forward constructively together,” he said.

Wells Fargo is working to make the agreements easier for small companies to digest, he suggested.

“For this to be able to scale, we've got to get to successively lighter weight and standard agreements,” he said. “None of us are going to reach our goals if everyone has to show up with giant legal teams.”

Heironimus said Capital One’s API is available to anyone who wants to talk to the bank about it.

“Our goal is to make all data sharing connections move towards our APIs because we feel it is secure and the best control for customers to have over their data,” she said.

As for the data rights group’s other major complaint, that banks don’t allow data aggregators and fintechs to gather pricing and fee information so consumers can compare services, Pitts said this is not true.

“Ever since the beginning we've been operating under the assumption that that's one of the outcomes,” Pitts said. “It’s not in anybody's best interest to govern customer data sharing in a self-interested way.”

Financial services firms can benefit from such comparisons, too, he noted.

"I don't think anybody is afraid to compete,” Pitts said. "People have the ability to shop rates, payments and offerings; we're all accustomed to competing in that environment.”

Pitts noted there's still a long way to go, as banks and fintechs negotiate questions about risk, assignment of liability and intellectual property, and what constitutes a compelling experience.

“It's slow going as everybody tries to create that new model,” Pitts said. “I'm optimistic looking forward, now that we seem to be agreeing on what the core principles are. There are so many great ways in which we're going to be able to innovate, create new types of experiences.”

Editor at Large Penny Crosman welcomes feedback at

For reprint and licensing requests for this article, click here.
Data sharing Wells Fargo Capital One CFPB