How JPMorgan is pushing back against fraud in fintech

The market for consumer fintech apps may be a little saturated, but if customers want to use them, JPMorgan is going to let them — if it’s safe.

On Tuesday, the U.S. banking giant announced an API-sharing agreement with the Utah-based data aggregator Finicity, in which the bank would push customer data to Finicity through an application programming interface that would be shared with its various clients, digital lending and personal financial management apps of interest to Chase customers.

“Our customers really want to use these financial apps and they do use them a lot,” said Trish Wexler, a spokeswoman for JPMorgan Chase. “We want them to find a safe, secure and private way for them to be able to do that without having to hand over their bank password. We think using a tokenized method — instead of having an aggregator come in and screen scrape a customer’s full accounts — is a safer and more private way to do that.”

Screen scraping is the most common way for companies to access customer data. When customers log into third-party sites or apps with their bank credentials, their sensitive information gets “scraped” by the company and stored for re-use. That way, the company can log into the bank account as the customer in order to retrieve account data as necessary.

That makes any possible breach of the fintech app a breach of the bank account. Fraud is often a bigger problem for the bank than the customer; customers can usually rest assured the bank will investigate the transactions and return the funds to their accounts. But in a world where customers are sharing data carelessly and frequently in almost everything they do, they’re vulnerable to more extreme consequences of identity fraud.

It’s hard to make them care about that.

“It’s clear that when there’s a screen on a new app doing a refresh that says ‘click here to accept new terms of the agreement’ both of us would raise our hand and say yeah, I didn’t read that,” Wexler said. “It’s like leaving your keys on front door and walking away.”

This is JPMorgan’s second such agreement. At the beginning of the year, it formed a similar one with Intuit, in which it would share data on its customers that sign up for Intuit products and services — QuickBooks, TurboTax and Mint.

“For years, we have been describing the risks – to banks and customers – that arise when customers freely give away their bank passcodes to third-party services, allowing virtually unlimited access to their data,” JPMorgan CEO Jamie Dimon said in his annual letter to shareholders earlier this year. “Customers often do not know the liability this may create for them, if their passcode is misused, and, in many cases, they do not realize how their data are being used. For example, access to the data may continue for years after customers have stopped using the third-party services.”

JPMorgan spent 16 percent of its total expenses on technology in 2016, it said in its annual report. It allotted $3 billion of a total $9.5 billion in spending to “new initiatives,” $600 million of which it used for fintech partnerships and improving digital and mobile services.

It’s Finicity’s second deal with a bank too; in April it signed a deal with Wells Fargo, which wants to establish itself as the leader of the anti-screen-scraping movement. Wells formed a deal with Intuit in February and with Xero a year ago. Banks and other industry players are having many conversations about whether there should be more standardization where data sharing and exchanging is concerned and what those standards might be, Wexler said, adding that Chase has been in talks with “all major aggregators” and will continue having those conversations.

Finicity is slightly different from the other data aggregators in that allows its partners, Wells Fargo and Chase, to move data to the third-party fintech apps that work with it (like Mvelopes, Lendio, Drop and PocketGuard); whereas Intuit and Xero use banks’ customer information for their own financial applications. JPMorgan was swooping up fintech partners — Zelle, Roostify, OnDeck Capital, TrueCar, Symphony — long before the industry as a whole began embracing collaboration and declaring 2017 the year of bank-fintech partnerships.

“Under this arrangement, customers can choose whatever they would like to share and opting to turn these selections on or off  as they see fit,” Dimon said of the Intuit agreement in the annual letter. “We are hoping this sets a new standard for data-sharing relationships.”

The biggest challenge to secure data access is time: Xero president

Xero is making it easier for small businesses to manage their finances, one bank partner at a time.

The accounting technology firm on Thursday entered its fourth bank partnership with Capital One, which built an application programming interface that lets Xero retrieve customer data from the bank without compromising, through scraping, customers’ sensitive bank login credentials — the more common way of accessing customer data. Xero has made similar deals with Wells Fargo, Silicon Valley Bank and City National Bank.

“For a business owner to have their own customized financial web and sit at the center of it, we have to have the relationships all across the ecosystem,” said Keri Gohman, president of Xero Americas. “All the banks, accounting partners, ecosystem partners so the business owner can see its full tech stack and how to make it work together.”

Gohman joined Xero less than a year ago from Capital One. Tearsheet caught up with her to discuss the problems data poses for small businesses and the challenges for banks and third parties trying to serve them.

This is Xero’s fourth bank partnership. Is there a theme here?
These bank integrations are happening more and more and it’s a recognition that customers want control of their financials. This is just another continued reinforcement of that trend and the reality that banks really want to get ahead of customer demand.

How has demand from small businesses changed in the last five years?
As consumers, we’re able to log onto Google Maps and have it pull ratings and reviews from Yelp, Uber so I can schedule a car, Waze so I can see traffic. I don’t really know I’m in all those things but I expect them all to work together. In much the same way, business owners are starting to expect that. They’re using the cloud, realizing the benefits of collaboration, they want things to work that same way.

Can you explain the data access issue for small businesses?
Getting access to lending is about your financial history and performance over time. It’s the lifeblood of what a business lives on, and relies on how they get underlying data and how that data all works together. Third party integration is always tough because the data isn’t always reliable, and the feed can get interrupted. Having this data feed directly with the bank creates a tighter integration.

So what’s the problem Xero is trying to solve with Capital One?
Sharing customer data with third parties safely, securely and in a way that puts the customer in control. There’s been a proliferation of great fintech solutions for small businesses, but they don’t all work together. And financial companies are recognizing they want the world to work together. Everything financially should work together so if I’m a business owner I’m asking what’s my bank, what are all the business applications I need? I need all my data to flow through to my P&L. I need to be able to manage all of my business in one place.

What’s the biggest challenge?
Banks have higher fiduciary standards. I don’t tell Google to start feeding Yelp, Waze or Uber, but consumers don’t expect their financial data to just be shared everywhere. If it’s sitting in another system and your bank allowed it to go there, who do you blame? Not the other company. All the banks are wrestling with the right way to do this but also give customers flexibility. We have to go one by one by one to all the financial institutions to set up these partnerships, and they also need to go one by one by one. The challenge is really time.

Where do we go from here?
Everything will become interconnected over time. What this unlocks over time is the economy. It has the ability to transform the data we have access to, the ability to make the systems work together really have the potential to unlock productivity in ways we can’t consider today.