B of A Mobile Payment App Stokes Privacy Fears Among Android Users

Controversy brewed in the Android Marketplace this week when Bank of America began rolling out a person-to-person payment feature in its mobile banking app. When users downloaded an update to the app that included the P2P feature, they were asked for permission to access their contact list without an explanation of why.

In the app review section, many users expressed their unhappiness with Bank of America's seemingly out-of-the-blue request to peek into their address books. One user wrote, "Contacts permission is disgusting. Fire whomever made this happen. Now I need a new bank that has an app I can use." Another wrote, "Poor update decision. Not updating so you can spam my contacts. WORST DECISION OTHER THAN BUYING Countrywide! BofA, you outsource this update decision? You don't need."

It turns out that the bank was simply providing an opt-in feature whereby, for their convenience, customers can click on a contact in their contact list rather than type in that person's information. Today, the bank added a note to its app description in the Android market: "* PLEASE READ this important note about contact information on your device: We've launched the ability for our customers in select U.S. states to conveniently make transfers using a phone number or email address (functionality available nationwide in the near future). Our app can populate the transfer recipient's information from the sender's device contact data, but ONLY if users request it during the transfer process. Only the specific recipient's contact information is accessed for the purpose of the transfer (the entire address book is not accessed)."

In a statement today, Bank of America spokesperson Tara Burke elaborated, "Access to contacts is purely initiated and controlled by the customer and is provided to make selecting a P2P payee easier for our customers in the future. The bank has begun a gradual rollout of this service in the United States and is expected to continue through 2012."

BofA is not alone in offering P2P payments and in giving its Android app the ability to access a user's address book. Chase's app does the same thing. PayPal's Android app can not only read personal contact information, it an also access the user's calendar. Citi lets its app read and modify contact data stored on a customer's device.

Is this whole brouhaha merely a matter of communicating more clearly with customers?

"It's absolutely a communication issue," says Julie Conroy McNelley, senior analyst at Aite Group. "We've seen similar things before, for instance, when it came out that the Apple iPhone had the capability, even when the phone was off, to track the user's location. But it wasn't effective at communicating that. Once that was discovered and found out in the press, it was the manner in which people discovered the capability that affected them, rather than the capability itself."

Incidentally, most Android apps can also track the user's location. "Where people get upset and where privacy groups use these things as a platform is when it's perceived as being done stealthily and without expressed opt in from the consumer," she says. "A lot of it is having an effective communication plan."

Bank of America was not stealthy, its mistake was in making a stark disclosure that turned people off. "In these cases, you're between a rock and hard place," McNelley acknowledges. "If you don't disclose, you run the risk that it will backfire on you, the same way it did for Apple a few months ago. If you do disclose, you run the risk that a privacy group will use you as an example. There are some customers that are justifiably concerned, but that's being augmented by people who want to use this as an example of how banks are ruining privacy. But the reality is that in the world of social networking, if you're on Facebook, you've already given up a lot of those rights."

What banks like BofA could do, she says, is effectively spin capabilities such as one-click P2P payments as a benefit: "We're making it easier for you and it's opt-in or opt-out — do you choose for convenience or protect your privacy," she suggests.

Person-to-person payments do represent an elevated security risk from a bank's perspective, McNelley says, because they enable a consumer to send money outside the bank's firewalls to an endpoint the bank doesn't have the ability to verify, and the funds are sent immediately via ACH.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER