Why a clear answer to the data-sharing debate remains elusive
As debates swirl around who should have control over the customer data and how that data should be protected, an underlying question also has yet to be determined: How should that data best be shared?
Screen scraping has been widely disparaged, yet many data aggregators and fintechs defend the practice. Application programming interfaces can be more secure, but some say the way banks are starting to execute them gives them too much power.
This is a technology minefield banks will have to figure out as they decide how to respond to their customers’ decisions to use financial planning, robo-advisory, budgeting and other apps offered by fintech.
Here’s a look at some of the data-sharing options and their pros and cons.
The dark side of screen scraping
Screen scraping — a process in which customers give third parties their online banking credentials so they can log in and import account information into other programs — is the most common method today. It’s basically a workaround that aggregators like Intuit, Plaid, Yodlee and MX provide for all the fintech companies so they can show consumers their complete financial picture by pulling in data from various financial institutions. The aggregators’ clients also include banks. (The aggregators also use APIs and other methods to obtain the data.)
Screen scraping's opponents call it unsafe, a bad experience for the customers and a frustrating process for everyone involved.
“The data aggregators are very lightly regulated. They don’t have a lot of the strict, hard obligations banks and other institutions have,” said Joseph Lorenzo Hall, chief technologist and director of the internet architecture project at the Center for Democracy and Technology in Washington. “That means there’s a lot of innovative stuff going on here, but lately the amount of data people are keeping around for big data uses has been troubling.”
Giving online banking credentials to third parties exposes consumers to the risk that a fraudster posing as an aggregator will dupe them, that a hacker will break into an aggregator’s system and steal their credentials, or that a rogue employee at an aggregator will abuse the access.
The debate about which side is right about the appropriate method of opening up financial data access is a distraction from the real issue at stake: the pace of innovation.
“Even if you trust the entity you’re sharing with, sharing your credentials is usually a very bad idea,” Hall wrote in a recent blog post. “It could not only give someone you don’t know the power to see sensitive details about your life, but also allow them to change that data by making transfers or deleting or altering — even inadvertently — sensitive records.”
Also, allowing screen scraping could prevent banks from requiring certain kinds of multifactor authentication, such as biometrics, just as regulators are trying to get them stiffen up authentication.
When banks update their online banking sites, links the aggregators use can break, rendering updated account information unobtainable and frustrating consumers (partly because they are unsure who to blame).
Banks also worry that the aggregators will take more consumer data than they need, and that they often access data on inactive accounts. JPMorgan Chase CEO Jamie Dimon made this point in a shareholder letter last year.
Lastly, banks say screen scraping can be an operations headache, particularly when aggregators hit their customer accounts at peak times, overloading the bank’s servers.
The case for screen scraping
Data aggregators and personal financial management firms say many of the arguments against screen scraping are nonsense.
“Imagine the bank data is held inside giant castle walls,” said Ryan Caldwell, CEO of MX, a data aggregation and analytics provider. “Right now there are people coming in and acting like users and sneaking that data out. But they’re doing it for the most part on the behalf of and with the full permission of the user.”
Caldwell says there is “a tiny bit of truth” in the claim that some users no longer know their credentials are being used.
“The reality is that most of these users are resetting their passwords frequently anyway, so those old connections break,” Caldwell said. “And they only fix those connections that they want.”
Screen scraping practices make the financial system safer, argues Bill Harris, CEO of the financial planning app provider Personal Capital (which uses data aggregator Yodlee) and former CEO of Intuit and PayPal.
Users of services like Mint or Personal Capital log into their banks’ online banking sites less often, giving cybercriminals fewer opportunities to steal their credentials, he said. Though they might also use a username and password to access the fintech site or app, those credentials are less vulnerable because a hacker could only look at customer data, not steal money.
Harris dismisses the argument that aggregators are less heavily regulated and might have fewer security controls than banks. For example, during his decade-long tenure on Yodlee’s board, the company underwent about 200 cybersecurity audits a year, he said.
Harris also observed that no data aggregator has suffered a publicly announced data breach; several banks have.
“The majority of smaller banks are quite primitive in terms of cybersecurity, much more primitive than what I’ve seen within the fintech community,” Harris said.
As for online banking links getting broken, Harris said the large aggregators have employees who can fix those links. And “cooperative banks give the aggregators a heads up,” he said. “It’s not hard to change a script.”
Harris further said that data aggregators can accommodate some forms of multifactor authentication, such as knowledge-based authentication. They can pass a call for biometric authentication along to the customer.
And as for the complaint that aggregators’ automated screen scrapers look like malware, Harris said the aggregators can give banks all the IP addresses they’ll communicate from ahead of time, so the bank can identify them as they come in.
Lastly, Harris scoffed at the idea that banks’ servers can’t handle the traffic from data aggregators.
“In 2017, we have massively scalable computers,” he said. “Google handles 40,000 data requests per second. There is so much available from relatively small machines at a relatively low price. For anybody who knows how to spell IT, handling these kinds of volumes is nothing.”
The benefits and challenges of APIs gated by OAuth
Wells Fargo was the first big bank to agree to provide customer data directly to data aggregators through an API, first through an agreement with the small-business accounting software company Xero last year and then with Intuit this year. The bank has been building its own API gateway.
JPMorgan Chase also came to an agreement with Intuit this year. They’re using a read-only API based on the Open Financial Exchange 2.2 standard and tokenizing authentication using OAuth 2.0. Wells Fargo is also using OAuth.
“The most important part of this is giving control to the customer,” JPMorgan's Dimon said in a press release announcing the Intuit partnership.
The use of the OAuth standard means each third party will have a different “token” that allows them to read data from a user’s account. Users can set those tokens to expire or delete, or modify them through the bank website.
The tokenization means “you’re not typing your user name and password into the aggregator’s service and giving them credentials,” Hall said.
The user logs in to the aggregator and is redirected to the bank account to authorize the aggregator to do certain things.
“Standing on the shoulders of OAuth is really good idea, because it’s a robust standard that’s used in many places, like health care,” Hall said. It’s used for federated authentication in the larger web, by large providers like Facebook and Google.
Aggregators and fintechs are not fans of OAuth, however.
“What Chase, Wells Fargo and others are saying is, we want you to come in a side gate where we get to check you TSA style. Pat you down and make sure you’re not taking any data we don’t want you to take,” Caldwell said.
Their motive, in his view, is to prevent aggregators from accessing information like annual percentage rates, ACH numbers and routing numbers. Those tidbits can be used to lure customers and their money away.
“The problem is, it’s not about the bank, it’s about the user,” Caldwell said. “You’ll see a bit of a battle there. But in the end, there’s no future that is possible where the user won’t end up having control of the data.”
Harris agreed. “What Wells and Chase are attempting to do is put on a different protocol, the OAuth protocol, on top of an API, such that they would be able to pat you down, and decide who gets through and who does not, and decide who gets what data, or not,” he said. “I would say that if our ultimate objective is to keep consumers safe and to help people manage their money better so they’ll be more secure in retirement, then I cannot see an argument that says consumers should only have access to their balances.”
Harris says the reason banks resist giving aggregators access to all this information is that it exposes their quasi-hidden charges.
“One of the things fintechs that use aggregated data do, including Personal Capital, is try and assemble all these costs as best we can, aggregate them and show them to the customer,” Harris said. “That’s a good thing. I think the banks should think that’s a good thing as well, because it promotes competition.”
OAuth is less secure than other methods of access for two reasons, Harris said. First, it’s up to the banks to decide the expiration date of each token, which could be anywhere from a day to a year. The banks set on having more control should expect a shorter window.
“Every time a bank token expires, that necessitates a bank password being exposed on the local machine yet again,” where it can be stolen by malware,” Harris said.
OAuth requires customers to type their bank password into a pop-up browser window, Harris said. “Most of us in the cybersecurity world go out of our way to try and train people to never put your password in anything other than a page you have navigated to using a known URL,” he said. Phishers use pop-up windows, so “you’re training people to be more susceptible to phishing.”
The authentication standard is also complex — it includes as many as 20 steps, Harris said — and would be difficult to implement across the financial services industry.
Open standards and collaboration
Most consumer advocates and some banks are pushing for open standard APIs like OFX 2.2 or the FS-ISAC’s Durable Data Application Programming Interface.
With one open, widely adopted standard, aggregators and fintech companies wouldn’t be forced to support multiple standards, which is difficult technologically.
“It makes it easier for the little guys to compete,” Hall said.
Is OFX, Chase’s choice, the ultimate answer?
“OFX is great,” said Harris, who built OFX when he was CEO of Intuit, in collaboration with Microsoft and CheckFree. “It’s very secure.”
But he also points out that there are 14,000 different financial institutions in the U.S., and different mechanisms will be feasible for each.
Banks and third-party aggregators will need to collaborate to find the best method, Hall said.
“It takes some goodwill on both sides and it sounds like this is getting to be a testy area, which is unfortunate,” he said. “There’s a whole lot of good to be done, a whole lot of money to be made and wonderful consumer efficiencies to be had.”
Editor at Large Penny Crosman welcomes feedback at email@example.com.