As mobile apps proliferate, data protection has to keep up
Mobile apps have grown at tremendous pace, taking hold of countless areas of American life and offering consumers unprecedented levels of convenience.
However, as illustrated by social media apps that have recently come under fire, tradeoffs prioritizing convenient services over safety and privacy can cause significant risks.
Unlike other apps, the stakes for financial-related mobile apps can include the entire content of your bank account. Meanwhile, nearly one-third of U.S. survey respondents who were banked reported using fintech apps, according to a poll commissioned by The Clearing House.
These apps provide bank customers with innovative ways to manage their financial lives. But the desire to “move fast and break things” should not apply to people’s money.
One major issue is the practice of consumers giving third parties access to their bank accounts to use the app.
In most cases, fintech apps work with third-party technology providers, called data aggregators, who use a process called “screen scraping,” whereby they log in using customer-supplied credentials to gain unrestricted access to customers’ personal and financial information. This includes account numbers, loan information and initiating payments.
Because logins use customer-supplied usernames and passwords, banks have a hard time distinguishing between screen-scraping “bots,” malicious bots and actual customers. This unfettered access also allows fintechs to use consumers’ information virtually without limitation.
The practice is so widespread that TCH’s 24 owner banks (that invested in technology distinguishing between data aggregators and fraud-related bots) reported that up to 45% of their bank website logins come from data aggregators.
Banks, data aggregators and large consumer financial service providers are united in their desire to migrate from screen scraping to application programming interfaces. The launch of the API standards body, Financial Data Exchange (FDX), with members across all stakeholder groups was an important step in this migration. But there is more to be done.
The second major issue relates to consumer consent. Within fintech apps, terms and conditions tend to get the same consumer treatment as music or gaming apps: few people read it and even fewer understand it. The app designs make it difficult to find terms and conditions. And the language is often written more as a legal document than something consumers can easily understand.
The result is that few users truly understand the data-sharing practices to which they’re consenting. And there is a big difference when the downside to supplying these credentials is an increased chance of fraud and theft from an account. Terms and conditions are not standardized and many today allow the fintech app to use all available data in the account, resell the data to third parties, or even give power of attorney to initiate transactions.
Nearly half of users polled who currently use a fintech app said they are less likely to use these services after learning that many app providers use their data for outside purposes, according to a survey. The same survey found nearly a quarter of respondents said that they would not use an app that stores their bank account credentials, which is precisely what almost all fintech apps do that rely on access to bank customer data.
Clearly, the current model of consumer consent is flawed, if not absent altogether. This must change.
In addition to specific concerns that consumers have about financial data sharing, there is also an increase in the general unease around data privacy. Fintechs are not subject to the same level of data security requirements or regulatory supervision for compliance as banks. Yet fintechs have access to much of the same personal information.
Given these realities, most players in the ecosystem agree that enhanced consumer protection and security standards are necessary. But how?
In Europe, government agencies have taken control in a system called “open banking.” It replaces screen scraping with a series of APIs, and gives consumers greater control over their data.
In contrast, U.S. financial regulators have taken a more pragmatic approach with the Consumer Financial Protection Bureau issuing principles that address data access, payment authorization, data security and consent, among others.
In July 2018, the Treasury Department issued a report on “Nonbank Financials, Fintech and Innovation,” which included a focus on data security and consumer consent. Both define the goals while leaving specific implementation decisions to the industry participants that do it every day.
To that end, The Clearing House is advocating for the adoption of a concept that is called Connected Banking through which financial institutions, fintechs, data aggregators and other industry stakeholders collaborate to enable the safe and transparent sharing of bank-held data.
A major goal of Connected Banking is for consumers to control apps’ access to data, with scale and efficiency — no matter where they bank. Building out this new ecosystem requires changes to how the industry creates and standardizes APIs; how financial institutions and third parties contract with each other; how financial institutions conduct third-party risk management; and how the required infrastructure is delivered to enable consumer consent at scale.
Over the past year, the industry has come together to operationalize elements of Connected Banking by creating FDX. During the same time, many financial institutions and data aggregators have signed contracts and implementing API-based data sharing on a bilateral basis.
However, there is still significant work to be done. In the coming months, The Clearing House plans to introduce more of the critical components of the new Connected Banking ecosystem.
If financial institutions, fintechs and data aggregators succeed in working together, we will create an agile system that fuels sustained innovation while ensuring the level of transparency and security that consumers expect and deserve.