Capital One’s decision to share customer data with third-party services through application programming interfaces deserves applause. The data-sharing model allows banks to protect their customers, while giving customers better control over their personal financial information.
Some critics have argued that bank implementation of APIs may result in the blocking of some fintech user apps. But APIs actually provide a more stable model. When Capital One made a recent security-related software update, certain third parties that do not use Capital One’s APIs experienced difficulties in accessing information. Had the third parties adopted Capital One’s API model, their users would have experienced no difficulties. Clearly APIs remain the best way forward for both banks and fintech providers to reliably share data with the additional benefit of protecting customers’ privacy and security while increasing customer transparency. (Editor's note: Capital One is one of 26 banks that own The Clearing House.)
Recent events such as the Equifax breach, the Facebook and Cambridge Analytica scandal, and the Federal Trade Commission’s action against Venmo have shown that companies’ data protection and information-sharing policies can greatly impact consumer trust and that privacy, transparency and control are important issues for consumers. In fact, the overwhelming majority of U.S. bank customers that use third-party fintech applications say they were either very or extremely concerned about privacy when using these applications, according to research we will release later this summer. Our study also finds that users often lack a clear understanding of how third parties collect, access, use, store and share their data.
But banks can continue to ease these concerns with the use of APIs.
APIs allow banks to share information with data aggregators and other third-party companies without these parties obtaining the customer’s internet banking login credentials directly from the bank’s customer and engaging in screen scraping, as has been done in the past. Not only is the older model a risky practice because of the direct sharing of the customer’s login credentials, but also because these third parties can then access all of the customer’s information on the bank’s platform. In other words, any party with a customer’s internet banking login credentials can access any information and perform any activity the customer can, including moving money in and out of the customer’s bank accounts. This is particularly troubling as many customers are not sufficiently aware that these third parties sometimes give or sell customer information to other outside parties, who may exploit it, or use it in unintended ways.
This is why leading financial institutions such as Capital One are moving to secure APIs for sharing account data. The use of APIs protects the safety and security of the customer’s information and funds and puts customers in charge of the information they want to share and with whom. APIs also hold the promise of revolutionizing the way we manage personal finances by permitting banks to share data with data aggregators and other third-party organizations to offer new services to customers.
For the use of APIs to take off, banks must first address customer concerns about how their customer data is protected across all the parties in the value chain. Banks must not compromise on security — and they should expect all parties to protect customer data to the same standards they do. While this may inconvenience some customers in the short term as impacted third parties adapt to the newer model, the move to secure APIs is an important upgrade that must be made to ensure that consumers are protected. Several data aggregators have chosen to work with banks through APIs and other contractual agreements to ensure the appropriate balance between data security and customer convenience. The remaining players should follow their lead.