For decades, banks, credit card networks and credit bureaus have been sharing and selling consumers’ financial data without their knowledge or consent while data aggregators have screen-scraped that information without the full cooperation of financial services providers.
But those days are starting to come to an end.
Some fintechs are testing apps that let customers gain greater control over how third parties use their data — and hope to one day be able to give them the power to revoke access to it entirely. Others are setting up ways to let consumers sell their own information, essentially allowing them to get a monetary incentive in exchange for sharing.
The most common change, however, is that the biggest U.S. banks are starting to share bank account data through application programming interfaces, or APIs, which are essentially straws through which data aggregators can sip certain pieces of bank account data. The APIs give the banks firm control over what data can be accessed — and give consumers the choice of which firms can see it.
For example, when a consumer starts using an app like Robinhood or Stash that needs to ingest bank account data, the data aggregator provides a moment of consent in which the consumer has to agree to let that app access their bank account data and the basic terms of that data-sharing are presented.
“Over the next six to 12 months, you’re going to see possibly as much as 70% of deposits here in the U.S. available in open banking API rails,” said Lowell Putnam, chief executive of Quovo, a data aggregator that works with banks and fintechs such as Betterment, SoFi, Stash and Wealthfront, and is the first U.S.-based financial data provider to become registered under the U.K.’s Open Banking regime. “That’s my prediction based on progress being made at the big banks. It’s also a testament to the large number of accounts at a small number of institutions in the U.S.”
A few banks already offer added visibility and control. Wells Fargo, for instance, in the fall launched Control Tower, a tool in its mobile app that lets customers see which third-party personal financial management providers are accessing their bank account data and toggle that access on or off.
“As consumers’ lives have become increasingly digital, managing finances has become more complex and cluttered,” said Ben Soccorsy, head of digital payments in Wells Fargo’s virtual channels division. “We hope to relieve a pain point and give customers more control over their finances.”
There are shortcomings of this approach. For one, many consumers tend to overshare data without considering the consequences.
“In the U.S. and abroad, the average consumer hasn’t realized the value of what their financial data can unlock when properly shared and the sharing framework hasn’t been communicated clearly enough,” Putnam said.
Are APIs enough?
Another limitation to the big banks’ APIs is that they tend to be read-only and the banks control what types of data can be shared.
“If you define the data control problem as, ‘Can I let an app like Robinhood pull data out of my bank account so that I can have an aggregate view of my accounts in that app,’ we’re getting somewhere,” said Dan Kimerling, co-founder and co-managing partner of the venture capital firm Deciens.
But this doesn’t give consumers full control, he argued. They can’t, for instance, draw data from a service like Robinhood into their mobile banking app.
“Aggregation is a kind of half-step,” he said. “App developers need aggregation; it’s necessary and important, but it doesn’t actually solve the problem.”
'A community bank, because they don’t have 100,000 software engineers, has to rely on partners. JPMorgan Chase can decide to build. A community bank has to buy.'
Treasury Prime, one of the companies Deciens invests in, creates read-and-write APIs that developers can use “to build applications with function, not just cobbled-together pseudo banking functionality,” Kimerling said.
Chris Dean, CEO of Treasury Prime, said the problem with the APIs banks use today is they often don’t work. The data provided by banks doesn’t always include the level of detail retail apps need and moving account information from one bank to another is difficult, he said.
“If I’m at Wells and I want to go to Citi, what do I do?” asked Dean, who was formerly the chief technology officer of Silicon Valley Bank’s API division. “Can I press a button and open a new account? No. Once I do open an account, can I move the money and my transaction history over? No. I can’t do any of that. Even the transaction formats will be different.”
In Dean’s view, there should be data aggregation tools that work across all banks. For instance, a consumer should be able to download their transaction history and have it look the same no matter what bank they use. And they should be able to move account data from one bank to another easily, the way phone companies now allow phone number portability.
The role of community banks
Another missing element of the API approach to open banking is that it may leave small banks out.
Credit unions, community banks and regional banks “may need several years to catch up and probably can’t do it on their own without help from third-party technology providers,” Putnam said.
For community banks to offer APIs to third parties, their core banking vendors would need to cooperate. The largest vendors in this category — Fiserv, FIS and Finastra — say they offer some support.
“We offer our community bank clients a robust set of APIs for accessing and sharing data through third-party applications via our Code Connect API gateway,” an FIS spokesperson said.
Fiserv offers a managed service for open banking; Finastra offers a platform for building apps that work with its software. Such options are controlled by the core vendor. (Fiserv and Finastra did not respond to a request for comment by deadline.)
Where community banks can’t get the support they need from their core vendors, they may end up turning to third-party software providers, much as they did when mobile banking became popular.
This isn’t necessarily a disadvantage and may help them innovate faster, some industry insiders said.
“A community bank, because they don’t have 100,000 software engineers, has to rely on partners,” said Kimerling. “JPMorgan Chase can decide to build. A community bank has to buy. I don’t see that as a problem.”
Fintech startups step in
But a few startups are offering consumers additional control over their financial data and in some cases even the ability to sell that data to third parties.
Sprout is setting up a network of merchants willing to pay their customers a small fee for their spending data. Ideally, customers will get about $30 a month.
With consumers’ consent, Sprout gathers users’ bank account data with the help of the data aggregator Plaid. It then provides merchants access to that data — anonymized unless the consumer says otherwise — so that the merchant can analyze its customers’ spending behavior.
“As a merchant you could see that your best customers are spending 20% more than the average person, and those customers spend a lot of money at Mexican restaurants,” said Sprout founder George Visan. “So you target them based on their spending habits and you offer coupons or special offers.”
The app is being tested by a couple hundred people in Calgary.
“We’re having early success,” Visan said. “Our future plans are to find retail partners in every city. One in each vertical: grocery, retail, technology, health and wellness.”
Digi.me offers an app designed to track all the third parties using a customer’s data, including banks, workout app providers and social media sites, and let the user grant or revoke consent or demand the “right to be forgotten” — in other words, make the organization delete all their data (a requirement of the European Union’s General Data Protection Regulation).
'If we really had open banking so you could move an account like you can move a phone number, then there would be real competition and the banks that did this would win.'
There are still places where consumers have no say in the use of their financial data. Credit bureaus still share data without consumers’ consent (and at times fail to properly protect that sensitive data). Credit cards and banks sell consumers’ spending data to advertisers and others behind their backs, though that data is anonymized. Data brokers collect personal information on people through public and private sources and sell it to a variety of buyers.
But, over time, the concepts of consent, transparency and control are expected to reach all corners of the financial world. Banks that don’t pay attention to this could face reputational harm as American consumers become more aware of data privacy issues.
“The main thing banks do is manage risk,” Dean said. “If you’re giving my data away, I won’t be able to trust you. It’s a short-term win to make some money, but long term it’s a bad financial move.”
This is one reason banks have lost trust among consumers, he said.
Giving customers more control over their data could give banks a competitive advantage when open banking comes to fruition in the United States.
“If we really had open banking so you could move an account like you can move a phone number, then there would be real competition and the banks that did this would win,” Dean said.