Odds are, if you work in fintech, you know what open banking is. It is such a popular concept that in Europe an entire regulatory regime, PSD2, has sprung up around the concept.
So if Europe is progressive enough to create regulations mandating open banking, how is the U.S. doing? It turns out that some banks in the U.S. are taking an opposite approach and preventing third parties from accessing consumer data.
Keeping it secure
The motive behind this move is pure: banks are closing down connections to third party apps to keep customer information secure and limit data breaches. Data retrieval methods such as screen scraping or using the customer’s password to gain access are indeed unsafe. We spoke with Chief Growth Officer and Co-founder of Flybits, Gerti Dervishi, who said this type of data sharing is “risky in so many different ways” since data scraping is not a standard protocol. Regarding recent decisions of U.S.-based banks who are gating off third parties, Dervishi said, “Honestly, this couldn’t go on for much longer.”
JP Morgan Chase recently came up with a new access plan for third party fintechs that require access to customer data. The aim of this new plan is to stop third parties from using password-based access to retrieve customer banking data. Starting July 30, fintechs will be barred from pulling customer information until they sign data access agreements and stop using customer passwords to retrieve banking information. Instead, JPM wants third parties to connect to consumers’ accounts via its open API. The bank made it clear that not only is this method more secure, it will also place consumers in control of what data they want other applications to access.
PNC Financial is also cracking down on third party data access, but is leaving third parties with fewer options. Explaining the decision to the Wall Street Journal, PNC Chief Customer Officer Karen Larrimer said, “When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers. This puts customers and their money at risk. We want to make sure we know who is setting up the account.”
As part of the move, Pittsburgh-based PNC is preventing customers from using P2P money transfer app Venmo and has blocked “multiple different aggregators,” including Plaid, which PNC states circumvented its security protocol. Plaid, a popular data transfer network, connects consumer information to other third party apps such as Square’s Cash app, Robinhood, and Digit.
Who owns the data?
But shouldn’t the consumer be able to decide if they want a third party to use their data? This became a major issue when PNC began directing users from PayPal’s P2P payment app Venmo to Zelle, the bank’s in-house P2P money transfer tool. This is because, as Dervishi said, “There is already an agreement in place with Zelle. [PNC] understands data sharing with Zelle, but they don’t have a standardized agreement with Plaid.”
When it comes to the issue of data ownership, Dervishi circled back to the need for standardization. Because PNC does not have a clear agreement in place with third parties, there is nothing to hold them accountable when it comes to how they use or store customer data. “We need a NAFTA for data,” he said.
So though it may seem as if both of these U.S. players are taking a “closed banking” approach, that statement isn’t exactly correct. Both banks offer open APIs. The difference is that PNC has shut out Plaid (and, in turn, the many third party apps that use Plaid) to head off security issues. JPM (and potentially others) may not be far behind. As Ron Shevlin pointed out in his piece The Real Story Behind the PNC Venmo Clash, “[JPM will] be watching what happens with PNC, for sure. If PNC sees limited account attrition, other Zelle banks will be likely to follow.”
At the end of the day, the only thing to prevent banks in the U.S. from taking a “closed banking” approach may be to follow in the footsteps of the European Union and create a PSD2-like, standardized regulation for data sharing. “Because each bank takes a different approach to third party data access,” Dervishi said, “until we have a well-understood framework like open banking and PSD2, we will have a thousand different methods [to access data].”