Wells Fargo says it has nearly eliminated screen-scraping threat
When Wells Fargo announced Thursday that it has signed a data-sharing agreement with Envestnet Yodlee, it was a milestone for the company.
Four years ago, Wells Fargo began a campaign to eliminate screen scraping — the practice in which data aggregators sign in to online or mobile banking using a customer’s credentials, copy and paste customer account information, and send it to their fintech and other clients.
It began setting up data-sharing agreements with data aggregators in which they agree to gather customer data through application programming interfaces that Wells provides and forgo screen scraping.
Envestnet Yodlee will connect to Wells Fargo and access data on behalf of its customers using Wells Fargo’s API and the OAuth authentication standard, rather than bank customers’ login credentials, across Yodlee’s network of 1,400 clients.
This is the 17th data-sharing agreement Wells Fargo has signed. It’s now working directly with all the largest U.S. data aggregators and several big fintechs. Two of those data aggregators recently agreed to be acquired by card networks: Plaid by Visa and Finicity by Mastercard.
With this agreement, Wells Fargo has confirmed plans to transition 99% of current third-party financial app screen scraping to API-based data exchange. Wells Fargo expects it will take about two years to fully integrate with Envestnet Yodlee.
“We've gotten to a point now where we're under agreement with the vast majority of the credential sharing and screen scraping,” said Ben Soccorsy, head of digital payments in the digital division of Wells Fargo Virtual Channels. “This gives our customers greater control and transparency over the financial information they choose to share with third parties and gives them the ability to manage those things on an ongoing basis through our Control Tower [app].”
That app, which Wells rolled out in 2018, lets customers see, among other things, which third parties are accessing their bank account data. It lets them revoke those privileges when they choose. The company has been seeing strong use of Control Tower, which also lets customers manage subscriptions and other recurring payments that have been set up on their Wells Fargo cards and accounts, and turn debit and credit cards and mobile wallets on and off, Soccorsy said.
“With the onset of the pandemic, and with customers experiencing unexpected financial stress, the recurring payments controls have proven to be a powerful component of Control Tower that has resonated now more than ever,” Soccorsy said. “That speaks to the notion that we want to provide transparency and control for our customers, not just on the recurring payments and subscriptions, but also on the data sharing.”
For its part, Envestnet Yodlee has signed data-access agreements with several financial institutions, including Citigroup, JPMorgan Chase, Bank of America and Charles Schwab.
“None of the agreements are exactly the same, but they all have alignment around the key principles: moving from screen scraping to an API, moving from requiring the customer to entrust their online banking credentials to us, to an Oauth-based, redirected flow,” said Brian Costello, vice president of data strategy at Envestnet Yodlee. “And in general, [the agreements set] requirements for transparency and control, uplifting the governance of the ecosystem.”
The data-access agreements set the rules of the road for accessing the financial companies' API, authenticating, registering customers and meeting security, privacy, risk and compliance requirements.
“These bilateral agreements are ensuring that there's a minimum standard of customer protection, which is absolutely fantastic for the industry,” Costello said.
Envestnet Yodlee is currently under investigation by the Federal Trade Commission for potential data privacy lapses. Three Democratic lawmakers urged the FTC chairman in a letter in January to look into Envestnet Yodlee’s practice of selling anonymous customer data to third parties such as hedge funds.
In their letter, Sen. Ron Wyden of Oregon, Sen. Sherrod Brown of Ohio and Rep. Anna G. Eshoo of California wrote: “The consumer data that Envestnet collects and sells is highly sensitive. Consumers’ credit and debit card transactions can reveal information about their health, sexuality, religion, political views and many other personal details. And the more often that consumers’ personal information is bought and sold, the greater the risk that it could be the subject of a data breach, like the recent breaches at Equifax and Capital One.”
The legislators said Envestnet does not adequately notify consumers that their personal financial data is being sold to third parties, which violates the FTC Act’s prohibitions against unfair and deceptive practices.
In August, a class action lawsuit filed against Envestnet Yodlee also complained of the way it handles and sells customer data.
Soccorsy and Costello said they couldn’t comment on these matters.