This article in American Banker suggests that banks are deliberately making it difficult for customers to share their financial data with third party application providers:
“Today personal financial applications like Acorn, Digit and Mint rely on bank account information to provide users with a complete snapshot of their financial footprint, improving customers’ experience when they pay bills, save money and make other financial decisions. But banks are still resisting the innovation known as application programming interfaces that allow apps to import such data efficiently and securely, and taking more aggressive action when PFM apps — without the benefits of an API — must scrape the data from a customer’s login.
With scraping, a third party application must use a customer’s credentials to log in to each institution each time the application updates, to pull the most recent data. Because of this process, financial institutions argue they cannot tell between a series of legitimate logins or brute-force hacking attempts. According to recent reports, three large banks — Bank of America, JPMorgan Chase and Wells Fargo — have been accused of limiting or, in some cases, cutting off access. The banks claimed their actions were not meant to restrict competitors, but rather out of security and website bandwidth concerns. But those arguments simply fall flat.
If banks were truly concerned about bandwidth and security, then why are they also refusing to integrate a separate and secure portal — such as APIs — so customers can access their finances?”
The article suggests that banks in Europe have already embraced this idea that making it easy to share financial data is a good thing that opens up new market opportunities, but at the same time identifies the fact that this willingness to open up is actually a regulatory mandate:
“Financial institutions across the pond are already working collaboratively toward this. In an effort to improve consumer services, boost competition and foster growth in the rising fintech community, the U.K. government is pushing to implement an open API standard for all financial institutions. According to research firm Gartner, while these efforts are good for British customers, without similar action larger U.S. financial institutions will be at a disadvantage when competing in the global marketplace.
Financial institutions here in the U.S. should embrace this innovation rather than resist it. Innovators in Silicon Valley are already creating APIs for the financial services industry for this very purpose. API-enabled access would eliminate constraints on the front end of a bank’s website. As financial institutions innovate to try and keep up with fintech startups, why would they not open their platforms to the broadest base of potential users? Let those users plug in securely however they wish. The opposite approach — raising barriers to shield competition — will only frustrate customers, and make winners out of startups and the financial institutions that choose to innovate.”
Regulators in the US have held banks accountable for failures of distant third parties, the most recent being Meta Bank for MasterCard’s failure to process Rush Card transactions during a portfolio cutover. Without a regulatory mandate I find it hard to imagine many risk officers will feel comfortable allowing consumer data to be openly transferred to any third party a consumer wishes. As soon as a third party is hacked and the consumer data rleased into the wild, the regulators will blame the banks and come down on them like a ton of bricks. So I think my attitude as a risk officer within a financial institution will be “you go first, I’ll wait here and watch what happens.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group