The long-running feud between banks and fintech companies over screen scraping is morphing into a more nuanced and important debate about how to exchange consumers' financial data securely and fairly.
White papers are being written, lobbying groups are forming and interpretations of the law are being put forth. The questions are more complex than whether third-party data aggregators should be permitted to access consumers' accounts using their credentials. The new Matryoshka dolls include: Is the industry legally obligated to improve the way data is shared between banks and third-party apps like Mint or Digit? Will replacing screen scraping with something more secure and reliable also prevent third-party apps from capturing valuable data such as interest rates? Should the industry collaborate more on standards so smaller banks aren’t locked out of digital advancements?
The stakes are nothing short of the ability to innovate with financial apps – including some bank apps – at a time when most Americans live paycheck to paycheck and could use new tools to plan, save and borrow. The Consumer Financial Protection Bureau has also been taking an interest in the issue of data access, meaning that if the industry doesn't converge on a solution, one may eventually be foisted upon it.
The answers may require banks to rethink their business models, which rely to a degree on consumer lock-in.
"On the face of it, it looks like tech issue," said Kristin Moyer, a research vice president at Gartner’s banking and investment services practice. "But it forces you to think about what it means to be a bank."
One wrinkle is that competing approaches to grabbing financial records are multiplying. Big banks have been landing application programming interface deals with fintech companies. This week, JPMorgan Chase and Intuit announced a partnership to make sharing financial data easier and safer through an API (specifically the OFX 2.2 API). Wells Fargo made a splash last year when it announced an API deal with an accounting software firm called Xero. Banks, large and small, have the Open Financial Exchange (OFX) and Durable Data API standards at their disposal at a time when screen scraping is still in wide use.
“It will get worse before it gets better in terms of number of competing API-type solutions,” Moyer said.
Essentially, individual partnerships may be good advertising for the benefits of data sharing, but they hinder the development of an ecosystem built on standards. Lack of standardization, some say, could stall innovation and ultimately harm consumers.
“Imagine a small bank with limited resources,” said Beth Brockland, a managing director with the Center for Financial Services Innovation in Chicago. Such a bank will lack the time and resources to negotiate one-off agreements with aggregators.
To address a challenge that ultimately affects consumers, the center is among those advocating for more collaboration. In a recent BankThink post, Brockland and her colleague, CFSI President and CEO Jennifer Tescher, wrote:
But an end-state that involves innumerable one-off deals between banks and third parties would be a bad outcome for consumers and for the industry as a whole. We need a broader set of industry-wide standards and best practices if we are to arrive at solutions that support consumer choice and innovation.
The center has been helping to shape the conversation by publishing a framework on data portability – a principles-based vision for how the industry can come together on data-sharing practices. Without getting into technical specifics, the CFSI sets a clear goal: Make sure the apps consumers depend on to manage their money are spitting out accurate insights.
Among the firms that contributed to CFSI’s framework was the data aggregator Finicity, based in Murray, Utah. Nick Thomas, a co-founder and president of the company, said he ultimately wants the industry to unite on a single standard to address what he sees as a big challenge. His vision includes a unification of the DDA and decades-old OFX standards – the latter of which, Thomas readily admits, needs to evolve away from its XML data format.
Some, however, say it’s unrealistic to ask most small banks to invest in a spec that promises no revenue right away.
“From the bank’s perspective, there is a big lift with no immediate reward,” said William Hockey, a co-founder and chief technology officer of Plaid, a provider of financial technology infrastructure. “You're not always met with open arms. I don’t fault them. But it's a balance, because it's ultimately about what customers want.”
The obstacles to coming to a consensus on something that introduces new forms of risk are many.
“Standards are a very tough thing to achieve,” said Gartner’s Moyer.
John Schulte, the chief information officer at Mercantile Bank of Michigan, is among the bankers in favor of one standard – developed in partnership between banks, the fintech community and other stakeholders. However, his bank offers customers aggregation capabilities; not all banks do.
As Schulte sees it, smaller banks that don't offer aggregation and financial health tools are the most threatened and most likely to resist allowing aggregation of their data by outsiders.
“The question we have to ask ourselves as community banks is whether we want to own the role of being our customers' partner in managing their financial health/goals, or let others (big banks, fintech, others) fill that gap,” Schulte said.
Unlike in Europe, where regulators have directed banks to open up their data to APIs and third parties, the legal motivation for U.S. banks to move quickly on something that costs money is, for now, nebulous.
The new Consumer Financial Data Rights lobbying group, for instance, is citing Section 1033 of the Dodd-Frank Act as codifying consumers' right to access their financial data through third-party apps. Whether that’s what Congress intended with the section is a matter of debate.
“They are taking what I consider to be an aggressive posture on 1033,” said Brian Knight, a senior research fellow for the financial markets working group at the Mercatus Center at George Mason University.
As Knight sees it, the language in Section 1033 seems to contemplate a direct relationship between a customer and bank rather than through a third-party app. Further complicating the issue are proposed cybersecurity rules that could put banks in a quandary if separate regulations mandated third-party access. (Currently, the CFPB is in the midst of a request for information on data portability.)
“Banks feel torn,” Knight said. " 'One regulator will ding me if I make it too hard to get information. One regulator will ding me if it’s too easy. What do I do?’ "