How JPMorgan is pushing back against fraud in fintech

The market for consumer fintech apps may be a little saturated, but if customers want to use them, JPMorgan is going to let them — if it’s safe.

On Tuesday, the U.S. banking giant announced an API-sharing agreement with the Utah-based data aggregator Finicity, in which the bank would push customer data to Finicity through an application programming interface that would be shared with its various clients, digital lending and personal financial management apps of interest to Chase customers.

“Our customers really want to use these financial apps and they do use them a lot,” said Trish Wexler, a spokeswoman for JPMorgan Chase. “We want them to find a safe, secure and private way for them to be able to do that without having to hand over their bank password. We think using a tokenized method — instead of having an aggregator come in and screen scrape a customer’s full accounts — is a safer and more private way to do that.”

Screen scraping is the most common way for companies to access customer data. When customers log into third-party sites or apps with their bank credentials, their sensitive information gets “scraped” by the company and stored for re-use. That way, the company can log into the bank account as the customer in order to retrieve account data as necessary.

That makes any possible breach of the fintech app a breach of the bank account. Fraud is often a bigger problem for the bank than the customer; customers can usually rest assured the bank will investigate the transactions and return the funds to their accounts. But in a world where customers are sharing data carelessly and frequently in almost everything they do, they’re vulnerable to more extreme consequences of identity fraud.

It’s hard to make them care about that.

“It’s clear that when there’s a screen on a new app doing a refresh that says ‘click here to accept new terms of the agreement’ both of us would raise our hand and say yeah, I didn’t read that,” Wexler said. “It’s like leaving your keys on front door and walking away.”

This is JPMorgan’s second such agreement. At the beginning of the year, it formed a similar one with Intuit, in which it would share data on its customers that sign up for Intuit products and services — QuickBooks, TurboTax and Mint.

“For years, we have been describing the risks – to banks and customers – that arise when customers freely give away their bank passcodes to third-party services, allowing virtually unlimited access to their data,” JPMorgan CEO Jamie Dimon said in his annual letter to shareholders earlier this year. “Customers often do not know the liability this may create for them, if their passcode is misused, and, in many cases, they do not realize how their data are being used. For example, access to the data may continue for years after customers have stopped using the third-party services.”

JPMorgan spent 16 percent of its total expenses on technology in 2016, it said in its annual report. It allotted $3 billion of a total $9.5 billion in spending to “new initiatives,” $600 million of which it used for fintech partnerships and improving digital and mobile services.

It’s Finicity’s second deal with a bank too; in April it signed a deal with Wells Fargo, which wants to establish itself as the leader of the anti-screen-scraping movement. Wells formed a deal with Intuit in February and with Xero a year ago. Banks and other industry players are having many conversations about whether there should be more standardization where data sharing and exchanging is concerned and what those standards might be, Wexler said, adding that Chase has been in talks with “all major aggregators” and will continue having those conversations.

Finicity is slightly different from the other data aggregators in that allows its partners, Wells Fargo and Chase, to move data to the third-party fintech apps that work with it (like Mvelopes, Lendio, Drop and PocketGuard); whereas Intuit and Xero use banks’ customer information for their own financial applications. JPMorgan was swooping up fintech partners — Zelle, Roostify, OnDeck Capital, TrueCar, Symphony — long before the industry as a whole began embracing collaboration and declaring 2017 the year of bank-fintech partnerships.

“Under this arrangement, customers can choose whatever they would like to share and opting to turn these selections on or off  as they see fit,” Dimon said of the Intuit agreement in the annual letter. “We are hoping this sets a new standard for data-sharing relationships.”

Wells Fargo: Banks need to create data exchange standards

Wells Fargo is trying to establish itself as the leader of a movement to give banks’ customers control over their data and how it’s used.

The first step, according to Brett Pitts, head of digital for Wells Fargo Virtual Channels, is to come up with cross-industry standards for moving data to different parties.

“This will be successful if more banks, more aggregators, more fintech firms wind up signing into these kinds of agreements, and figure out an open standard way of passing data and keeping customers at the center of discussions,” Pitts said of its data-exchange agreement with data aggregator Finicity, announced earlier this week. “Ultimately, this isn’t going to work if its just Wells Fargo, Intuit and Finicity doing it.”

The agreement allows Wells Fargo to share its customer data with Finicity using application programming interfaces. The bank made similar agreements with Intuit, which owns QuickBooks, TurboTax and Mint, in February and with Xero last summer. This week’s agreement is different in that it allows Wells to move data to third-party fintech apps that work with Finicity, whereas the agreements with Intuit and Xero allow them to use customer data on their own financial applications.

Right now the most common way of accessing customer data is through a method called screen scraping: customers log into the third party site or app with their bank credentials and that company “scrapes” the information to be able to log in as the customer to retrieve account data as necessary.

“Screen scraping is the anti-pattern we want to stop,” said Pam Dingle, principal technical architect at Ping Identity, a maker of identity management software. “By sharing their passwords, customers are allowing the third parties to be them – transfer money, take out loans, literally do everything the customer can do. These passwords are stored in a format which allows them to be used, so a breach at the third party is a breach of the bank account.”

Intuit also established a data sharing agreement with JPMorgan Chase in January; in February Silicon Valley Bank and Xero made a similar move. Wells’ arrangement with Finicity is the third such agreement, but Pitts indicated the bank doesn’t plan to stop there.

“We have lots of these kinds of conversations in the pipeline right now,” Pitts said. “Early on it’s important for Wells that we show leadership, that this is possible, that we build momentum through these kinds of agreements and they’re used as a catalyst for creating an industry standard ways of doing things. We’re hoping this can constitute a sort of tipping point.”

When Wells Fargo announced its agreement with Xero it framed it as one that takes a stand against the more common practice of screen scraping. Its progress in establishing more agreements with more data companies has “felt a little bit slower than what we would have liked” because of the variety of business models among various aggregators, Pitts said.

Now Wells is hoping over time its campaign to end screen scraping becomes better understood and more easily replicable by others, by making sure its different arrangements can have have as many common elements as possible on the technology side, Pitts said.

“The strategy is to really provide quality access and quality data for consumers financial records,” said Finicity CEO Steve Smith, “to digitize and speed up the existing process thats been out there for a long time and enable speed, security and convenience of financial records.”

Experian’s Laura DeSoto: ‘This is an area ripe for disruption’

Offline lending still consists of a lot of paper work and duplication of basic form filling. one of the keys to shortening the cycle times here is to be able to verify that what a potential borrower says he owns, he actually owns. Credit bureau Experian, along with financial technology firm, Finicity, just launched a service that can significantly improve how quickly borrowers can get a loan.

This week’s guest is Laura DeSoto, svp of transactional products at Experian Consumer Information Services, who discussed how the credit scoring business has evolved and how AI is making previously invisible “unscoreables” feel more included.

Edited highlights below.

 

Subscribe: iTunes I SoundCloud
Below are highlights, edited for clarity, from the episode.

How has your business changed over your tenure at Experian?
Technology has really been a game changer in the information services business and certainly, here, at Experian. I remember 20 years ago that we were using mainframes and our time to market was often six to 12 months. We were hampered compared to today, where we have big data architectures, artificial intelligence and cloud technologies. We’re able to speed up innovation and most importantly, improve the accuracy and experience users have when interacting with Experian.

Digitizing the credit bureau speeds lending up
We know that consumers expect that purchasing decisions can happen with the speed of a click of the mouse. We’re able to harness technology and innovation now to create an end-to-end digital experience for consumers in the lending product. Our announcement this week was that we’re the first credit bureau to introduce technology that allows consumers to direct much of the lending transaction from their laptop or mobile device. The crux of the technology is that it allows for real time asset and income verification from 80 percent of all financial accounts. This will allow lenders to speed up and digitize the lending process, impacting millions of borrowers.

The role asset and income verification play in the loan process has changed
My boss recently moved from Northern California to Southern California and was looking to get a mortgage. He went into a household name bank. He had three loan officers sitting across from him. They asked him a series of questions over 45 minutes, taking notes to understand where he held his financial assets. When they finished, they asked him to then prove that everything he said was true. Another 45 minutes. So, he pulls out pay slips and documents and then was asked to fax or send to them via pdf. The loan officer then needed to scan or re-key that information into his system — another 45 minutes. At that point, the institution was ready to start the loan process. This is technology that’s not from this century. This is an area ripe for disruption.

Experian partnered with Finicity on this product
Finicity has been a fintech leader in account aggregation for the past 15 years. So this is a core technology and competency gained over many years. Finicity has integrations into over 16,000 financial institutions. That core technology, capability, and proven expertise in being able to safely and securely integrate into financial institutions was paramount and why our partnership with Finicity is so critical to this program.

Is your new product the beginning or end of the digitization process?
We’re beginning to use technology to digitize the credit bureau — technologies like AI to remove inaccuracies in data. We’re plugging into the API economy and to speed up decisioning and product identification. We’re also using new technologies to enhance access to more affordable credit. We recently integrated the Cloudera enterprise platform with our analytical sandbox environment to help facilitate common issues to make it quicker for clients to access our information. Our new verification of income and asset reports are really the latest products to enable more fast, accurate decisioning. It’s part of a larger strategy to modernize the credit bureau.