Bankshot

Fintechs’ vulnerability apparent in Capital One data-access flap

It’s far from the first time a bank has been accused of preventing consumers from using fintech apps. But the news that a security update from Capital One has resulted in a major data aggregator being blocked from porting some bank data to other apps for more than a month marks a disturbing turn for financial innovation.

Not only is it happening after many fintechs and banks have declared the debate settled over whether to share data (with sharing now seen by many as pro-consumer). But this particular move is coming from one of the most innovative financial institutions in the U.S.

For decades, banks and fintech companies have fought over how consumers securely share bank data to use popular apps that require them, like Mint and Kabbage. In more recent years, a handful of banks have been inking data-sharing deals with fintech companies to improve the ways consumers move data — Capital One among them.

Capital One branch
The consent order between the Federal Reserve and Capital One required the bank to submit progress reports on its efforts to improve its risk management functions.

In fact, Capital One has been among those banks leading the charge in the U.S. to make application programming interfaces available as a more secure and reliable way for consumers to port their data from a one bank app to another rather than sharing online bank credentials with outsiders.

But, according to reports, Capital One customers can no longer properly use apps that rely on Plaid, a well-known data provider to popular apps like PayPal’s Venmo and Acorns.

The Capital One blockage could be unintentional, possibly related to a tech upgrade. Problems can arise when a bank updates its infrastructure and a data aggregator may not be able to access information for a time. Banks are also understandably worried about guarding assets, especially because it’s often unclear which party is on the hook after a hack. Some analysts also believe consumers don’t know just how much information fintech apps are taking from their bank accounts.

But the blockage could also signal a bigger concern: a bank using its APIs to call the shots on what kind of data is shared with fintech apps while simultaneously proclaiming to be the consumer’s champion. It’s not clear how severe the problem is, but Plaid doesn’t use Capital One’s API. Some other data aggregators, meanwhile like Envestnet’s Yodlee,have said they are not experiencing any issues with Capital One.

For its part, Capital One said it “remains committed to enabling our customers to take advantage of third-party tools, but in a way that is secure, transparent, and always under the user’s control,” according to a spokesperson.

It added that “it is possible that the regular upgrades that we make to improve the safety and security of our systems may impact the ability of some third-parties to access customer data, should they rely on methods that don’t meet our reasonable security standards.”

"While this may cause a temporary inconvenience as impacted third-parties adapt, this is an important upgrade we made to help prevent customer harm. We will not compromise on security and expect all parties to protect customer data to the same standards that we do,” the spokesperson said.

Whatever the cause of the Plaid blockage, what’s worrying is that the episode shows the fragility of fintechs, some of which depend on bank data to have working apps. Some banks’ offerings do too. Firing up a budgeting app that is crunching data from a month ago is pointless. Ditto for an app that can no longer onboard certain customers because a bank won’t let it access its data.

It also points to a problem. Bank APIs are the way data-sharing has to go; they power the digital world. But they might not get the industry out of this mess. The data-sharing battle will continue unless the private sector unites on solving the problem or regulators provide more clarity on the myriad data-sharing issues, like liability.

In the interim, it’s the consumer trying to send a payment to a friend or set aside money in an investment that suffers. Take a look a Twitter — the more than one million customers who are affected by the Capital One blockage are venting their frustrations online, just as people do when their bank has an outage.

Banks have a justifiable need to fortify their walls against fraudsters. But blocking consumers’ ability to use popular fintech apps is dangerous — for both banks and fintechs.

The problem needs to be solved quickly. To survive the digital era, fintechs and banks alike must give consumers what they want, before someone else figures out a way to do that for them.

Bankshot is American Banker’s column for real-time analysis of today's news.

For reprint and licensing requests for this article, click here.
Data sharing APIs Data privacy Capital One Bankshot
MORE FROM AMERICAN BANKER