Controversy brewed in the Android Marketplace last week when Bank of America Corp. began rolling out a person-to-person payment feature in its mobile-banking application.
When users downloaded an update to the app that included the P2P feature, they were asked for permission to access their contact list without an explanation of why.
In the app-review section, many users expressed their unhappiness with BofA’s seemingly out-of-the-blue request to peek into their address books. One user wrote, “Contacts permission is disgusting. Fire whomever made this happen. Now I need a new bank that has an app I can use.”
Another wrote, “Poor update decision. Not updating so you can spam my contacts. WORST DECISION OTHER THAN BUYING Countrywide! BofA, you outsource this update decision? You don’t need.”
It turns out that the bank was simply providing an opt-in feature whereby, for their convenience, customers can click on a contact in their contact list instead of type in that person’s information.
On Sept. 29, the bank added a note to its app description in the Android market: “* PLEASE READ this important note about contact information on your device: We’ve launched the ability for our customers in select U.S. states to conveniently make transfers using a phone number or email address (functionality available nationwide in the near future). Our app can populate the transfer recipient’s information from the sender’s device contact data, but ONLY if users request it during the transfer process. Only the specific recipient’s contact information is accessed for the purpose of the transfer (the entire address book is not accessed).”
In a Sept. 29 statement today, BofA spokesperson Tara Burke elaborated: “Access to contacts is purely initiated and controlled by the customer and is provided to make selecting a P2P payee easier for our customers in the future. The bank has begun a gradual rollout of this service in the United States and is expected to continue through 2012.”
BofA is not alone in offering P2P payments and in giving its Android app the ability to access a user’s address book. JPMorgan Chase & Co.’s app does the same thing. PayPal’s Android app not only can read personal contact information, but it also can access the user’s calendar. Citigroup lets its app read and modify contact data stored on a customer’s device.
Is this whole brouhaha merely a matter of communicating more clearly with customers?
“It’s absolutely a communication issue,” says Julie Conroy McNelley, senior analyst at Aite Group. “We’ve seen similar things before, for instance, when it came out that the Apple iPhone had the capability, even when the phone was off, to track the user’s location. But it wasn’t effective at communicating that. Once that was discovered and found out in the press, it was the manner in which people discovered the capability that affected them, rather than the capability itself.”
Incidentally, most Android apps can also track the user’s location.
“Where people get upset and where privacy groups use these things as a platform is when it’s perceived as being done stealthily and without expressed opt in from the consumer,” McNelley says. “A lot of it is having an effective communication plan.”
Bank of America was not stealthy. Its mistake was in making a stark disclosure that turned consumers off.
“In these cases, you’re between a rock and hard place,” McNelley acknowledges. “If you don’t disclose, you run the risk that it will backfire on you, the same way it did for Apple a few months ago. If you do disclose, you run the risk that a privacy group will use you as an example. There are some customers that are justifiably concerned, but that’s being augmented by people who want to use this as an example of how banks are ruining privacy. But the reality is that in the world of social networking, if you’re on Facebook, you’ve already given up a lot of those rights.”
What banks such as BofA could do is effectively spin capabilities such as one-click P2P payments as a benefit by saying something like “We’re making it easier for you, and it’s opt-in or opt-out. Do you choose for convenience or to protect your privacy,” McNelley suggests.
P2P payments represent an elevated security risk from a bank’s perspective because they enable a consumer to send funds outside the bank’s firewalls to an endpoint the bank does not have the ability to verify, and the funds are sent immediately via the automated clearinghouse system, McNelley says.
What do you think about this? Send us your feedback.
