As banks slowly, gingerly start to provide account and transaction data to their customers over Facebook Messenger and Amazon Alexa, they’re navigating a minefield of uncertainties when it comes to privacy and security.
“Banks have a genuine and well-founded fear that the internet giants could take control of the customer, relegating the regulated financial institutions to low-margin utility pipes,” said David Birch, global ambassador at Consult Hyperion.
TD Ameritrade went live with a Facebook Messenger bot last week. Wells Fargo, TD Bank, and Royal Bank of Scotland are among the banks that also have Messenger bots through which customers may speak or text questions and get quick responses.
Capital One, American Express and TD Ameritrade are among those that have Alexa Skills — apps that let customers converse with Alexa through Amazon Echo and Echo Dot speakers to get account information and pay bills and such.
Google did not respond to requests for an interview or information about bank tie-ins with Google Home, and bankers I have spoken with have expressed little interest in working with Google’s device.
Here are three major questions financial firms have about how the tech giants manage bank and customer data … and some not completely comforting answers.
Do Facebook and Amazon have access to the data the banks send through the channel?
“Banks in general don’t want to have Facebook looking at their data in transit,” said Pascal Bouvier, a venture capital investor in Washington.
“Facebook, Google and Amazon know a lot about us, more than banks do,” Bouvier said. “There’s some information banks have that those three do not have, and enabling transactions through them ensures the companies fill that subset of information they don’t have. Through any channel within Facebook Messenger, Google Voice and Amazon Echo, those that control the distribution pipe are going to get a lot of value out of that data.”
Facebook says it does not see customers’ account information.
In the case of TD Ameritrade, when customers want to view or interact with account data, they tap “My accounts” and are brought to an authentication page that asks for their TD Ameritrade user name and password. Facebook uses a web view to shift the customer to TD Ameritrade’s mobile website to view their account information. This portion of the mobile site has the look and feel of Messenger, so the customer doesn’t feel the change. But all the customer information is stored at the financial firm. Other financial companies take the same approach with Facebook Messenger, though Facebook says each integration is different.
“What Facebook is saying they’re doing with Ameritrade makes a ton of sense,” Bouvier said. “I would expect that even though there might be different technology solutions to do it, most of them will do it that way — they’re going to make sure the data remains inside. Facebook itself will have a tough time getting that information.”
Amazon said account credentials and numbers stay with financial institutions and are linked to Alexa customers using access tokens.
Can Facebook and Amazon see or hear what customers speak or type to their financial institution over Messenger, Alexa and Echo?
Facebook says it cannot.
Amazon says voice recordings are securely stored in the Amazon cloud.
“Whenever a large tech company like this says it’s stored, recorded and stays in the cloud, to me it feels like there are many loopholes and conditions to make it superdifficult for you to completely erase your stuff,” Bouvier said. “There’s a higher probability voice conversations are going to be used, not necessarily now or tomorrow but at some future time.
“I think we still do not know the unintended consequences of having an Amazon Echo passively recording everything, or actively being triggered and starting to record stuff that is then stored in the cloud, that has potential for an invasion of privacy that’s pretty severe,” Bouvier said. “What are the guardrails? What are the use cases?”
However, Bouvier acknowledged that given the very strict rules banks must follow concerning personally identifiable information, Amazon is probably trying to figure out how to mine that data without running afoul of those rules.
“That’s probably the dance they’re trying to figure out, technologywise,” Bouvier said.
Can data about bank transactions be read by the tech companies’ product-recommendation engines?
Another worry for bankers is whether a product-recommendation engine or ad engine could monitor their conversations with customers, so a bank customer inquiring about a loan could be presented with an offer for a lower-rate product from a competitor, for instance.
“Do we use content of conversation for ad targeting within Messenger? Today we do not do that,” said a Facebook spokeswoman.
Amazon gave almost the exact same answer: “No. We don’t currently use Alexa data for this purpose,” the company spokeswoman said.
And of course, the potential for security issues such as man-in-the-middle attacks always lingers.
“When are we going to get the first white-hat hacker who says, Hey, there’s a major flaw in this technology stack?” Bouvier said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.