JPMorgan's clampdown on data puts Silicon Valley apps on alert

The app was quickly becoming a cult favorite among penny-pinching U.S. consumers — and also a bane for their banks.

In just over a year, Paul Kesserwani's startup Cushion has helped users win refunds on almost $1 million in fees by logging into their accounts and disputing charges with an artificial-intelligence chatbot, named Fee Fighter. The app features a cartoon robot wearing a black belt, assuring users "You relax, while I work." It also lobbies to lower interest rate charges on credit cards.

So Kesserwani was wary when one of the largest U.S. lenders called late last year, seeking a list of his IP addresses. The bank said it wanted to ensure Cushion's computers wouldn't be flagged as suspicious. Weeks after he handed over some of the information, it called again, warning it might block Cushion's servers from accessing customer data. But Kesserwani wasn't willing to quit.

"A bank with millions of customers can't police the internet," he said. "Companies with sophisticated tech like ours will have no problem bypassing any blocking attempts." He spoke on the condition the bank not be named, because of concern it may exacerbate the situation.

Exterior of JMorgan Chase headquarters
People sit inside the headquarters of JPMorgan Chase & Co. in New York, U.S., on Tuesday, January 12, 2016. JP Morgan Chase & Co. is scheduled to release earnings data on January 14. Photographer: Michael Nagle/Bloomberg
Michael Nagle/Bloomberg

Long-simmering tensions between the financial industry and Silicon Valley startups are erupting behind-the-scenes into a battle over the reams of valuable data held inside Americans' bank accounts. In recent months, major banks including JPMorgan Chase and Capital One have led the industry into a fresh campaign to control how outsiders tap into sensitive customer information. The lenders say their highest priority is protecting consumers.

Yet, executives at a number of Silicon Valley ventures say they've been threatened by banks with being blacklisted if they don't agree to strict new terms. They claim consumers are being constrained in using their own data to better manage their money.

"Giving consumers the ability to safely permission their data so they can use these services isn't just a nice to have, it's an imperative," said Sima Gandhi, head of business development and strategy at Plaid Technologies Inc., which gathers data from banks on behalf of apps.

The fight has implications for thousands of so-called fintech startups aiming to disrupt parts of the traditional financial world. The competition is fierce. There are almost 2,300 fintech apps in the U.S., offering help with budgeting, investing and payments, according to market research firm Venture Scanner. Many rely on access to users' bank records. Getting locked out can kill their business.

Financial firms have long warned that not all apps are trustworthy: They may collect more data than they need, store it insecurely or sell it to third parties. Even worse, banks fret about what would happen if an app were hacked, exposing account numbers and passwords and opening the way for looting. Banks argue apps would be liable, but they may not have the cash to make victims whole.

The solution proposed by a growing number of banks is a special gateway — known as an API — that restricts how much and how often apps can tap information, while also setting contractual limits on what they can do with it later.

"We advise all of our customers not to share their credentials," said Imran Haider, head of Wells Fargo & Co.'s API channel known as Gateway. "If you're sharing your credentials with another provider, it then becomes that provider's responsibility to secure and maintain those credentials. It's not a viable model, and why we prefer using APIs for data-sharing transactions."

Kesserwani said the bank that threatened to block Cushion urged him to instead rely on a middleman the lender had vetted and approved to use its API. But he was concerned that would prevent Cushion from fighting fees on behalf of its tens of thousands of users. He's now in talks with a number of banks, seeking to strike some kind of partnership.

APIs aren't new. For years, they've allowed a universe of accountants, tax preparers and loyalty programs to plug into account data and provide services to customers. Some apps are signing up, but others are objecting. They complain about APIs that offer too little, too slowly. And they argue that customers — not banks — are the rightful owners of financial data and can decide how to share.

Some apps that balk instead try to mask their IP addresses, engaging in a digital game of cat and mouse with banks.

To access account records directly, apps typically start by asking customers for their bank username and password. They then log on and gather information through a process known as screen scraping. Banks say that strains their systems, often amounting to more than half the traffic on their websites.
Reaching Truce

With nearly 11,000 banks and credit unions in the U.S., many startups can't afford to build and maintain web-scraping tools to access all of them, so they rely on middlemen. Those data aggregators can represent thousands of fintechs, giving them some clout when negotiating with banks.

One of the biggest, Plaid, has repeatedly butted heads with lenders. Last year, consumers assailed Capital One on social media after a technology upgrade to improve security limited Plaid's ability to tap into account information. That left customers temporarily unable to use popular apps from Acorns Advisers LLC, PayPal Holdings Inc.'s Venmo and Robinhood Financial LLC.

By October, it appeared a truce was at hand between some banks and apps. That month, JPMorgan said it had inked a data-sharing agreement with Plaid. Yet tucked inside the announcement was a warning to others: JPMorgan would begin blocking high-volume traffic from servers it doesn't recognize and can't validate, a process known as blacklisting.

It was the first public acknowledgment by any major U.S. lender that banks were no longer asking startups to be open about the way they extract data. They were telling them.

"Like any large company, it's important that we vet and recognize automated traffic coming into our website," said Paul LaRusso, executive director of digital platforms at JPMorgan. "Secure APIs will let our customers control what information they share while still enjoying the apps that help them make good financial decisions."

Consumer advocates laud apps that help people save money, manage budgets and avoid unfair fees. But those focused on privacy still tend to side with the banks, worried that apps might abuse or lose people's most valuable data.

"The end of screen scraping is really important," said Lauren Saunders, associate director of the National Consumer Law Center, which advocates for privacy and other consumer protections. "Any entity that is using screen scraping should be talking to the big financial institutions and coming up with a more secure way, because it's increasingly untenable to not have an API."

Bloomberg News
Data sharing Apps JPMorgan Chase
MORE FROM AMERICAN BANKER