JP Morgan vows to ban fintech apps from using customer passwords
JP Morgan Chase has vowed to ban fintech apps from using customer passwords to access their bank accounts, forcing tougher security standards some three years after chief executive Jamie Dimon first warned about the dangers of data-sharing.
Bill Wallace, Chase’s head of digital, told the Financial Times the lender was working towards getting customers’ passwords “out of the system” and instead issuing tokens that send third parties a narrow range of data in a secure form.
Aggregator Yodlee recently became the first company to agree to use tokens for 100% of its interactions with Chase while Goldman Sachs-backed aggregator, Plaid, has signed up to start using tokens to access data on behalf of the many budgeting, personal finance and other apps which use Plaid to connect to customers.
Related: JP Morgan Chase partners with Envestnet Yodlee giving customers more visibility on their data
Dimon warned about the risks of the current system in a shareholder letter in 2016.
“Many third parties sell or trade information in a way customers may not understand, and the third parties, quite often, are doing it for their own economic benefit — not for the customer’s,” he wrote. “Often this is being done on a daily basis for years after the customer signed up for the services, which they may no longer be using.”
Christina Tetreault, policy counsel for Consumer Reports, says the advocacy group’s research showed “few people” read the privacy statements they signed. “Most of the digital financial products and services… are take-it-or-leave-it transactions where consumers lack both meaningful notice about what is collected and where it goes,” she says.
Wallace notes that agreements like the one with Yodlee limited “third parties to what they need to serve the customer, lets the customer know exactly what information is being used… and removes the need to hand over their passwords”.
Chase has not set a target date for eradicating password-based access, but Wallace says the bank was in the “first half of the soccer match”.
Read more: Start-up Saga launches stabilised SGA token with major bank and exchange advisors
He did not think the decision would result in some apps not being able to engage with Chase customers, and insisted it was not aimed at deterring customers from moving to new platforms. “I think it’s the opposite of that,” he says. “It’s enabling people… to get their data where they need it.”
Chad Wiechers, Yodlee’s senior vice-president for data access, tells the FT that the company, which collects data for 1,200 fintech clients with 30m customers across 51 countries, used data feeds for about 67% of the data it collected.
In the other cases where screen-scraping — the system whereby consumers hand over their passwords to allow access to their financial information — was employed, only “necessary” data was retrieved. Sima Gandhi, head of strategy at Plaid, says her company was working with Chase to ensure that the tokens allowed it to capture all of the data its app clients needed.