In January 2018, Open Banking went into effect in the UK. Under the regulation, regulated banks are required to let customers share their financial data with third-party providers through APIs.
Open Banking ensures by regulation that authorized fintechs have access to functionality that makes it easier for consumers to sign up for and use their services. Instead of having to collect and manually supply their financial information to create a new account, for instance, a fintech can give new customers the ability to log into their bank accounts and automatically and instantaneously share the relevant data.
This functionality is common across the pond in the US as well, but no Open Banking regulation exists. Instead, fintechs typically rely on a handful of aggregation companies that specialize in connecting to financial institutions. In some cases, aggregators have established direct relationships with banks and other financial institutions which give them API access. In other cases, they use complex scraping technology.
Many American fintechs owe some of their success to the functionality facilitated by these aggregators. For example, fintech pioneer Mint.com, an early personal finance website that Intuit acquired for $170m in 2009, grew rapidly because it gave users the ability to quickly and easily import data from their financial accounts by providing credentials for those accounts.
This functionality, of course, creates obvious security concerns and without an Open Banking regime providing standards and rules, it is a source of tension between banks and fintechs in the US.
Case in point: PNC, one of the ten largest banks in the country, is currently having a very public spat with Venmo, a popular mobile personal payments service. Following a security upgrade, PNC customers have found that they are cut off from Venmo and restoring the connection between their bank account and the PayPal-owned service is proving frustrating for many of them.
Caught in the middle of the dispute is a company called Plaid, a large aggregator that many fintechs like Venmo use to connect to bank accounts. PNC says that it blocked Plaid and other aggregators from accessing its systems because they are trying to circumvent its security protocols.
“When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers,” Karen Larrimer, PNC’s retail banking head and chief customer officer, told the Wall Street Journal. “This puts customers and their money at risk.”
Plaid says that it addressed PNC’s security concerns, but on Twitter, Venmo has hinted that this matter isn’t simply about security. After PNC posted tweets suggesting that its customers consider using Zelle, a Venmo competitor run by a consortium of banks, Venmo encouraged its users to tweet, “Hey @PNCBank…Let me use the financial service apps I need!”
The risk for banks
In the US, disputes like this appear to stem in part from a continued belief on the part of banks that customer data belongs to them, not to customers. In the UK, EU and other countries, regulation like Open Banking makes it clear that customers have a lot more say if not outright ownership.
It’s likely that the US will eventually implement its own Open Banking rules but banks are wise to embrace a more open philosophy now instead of waiting until they’re forced by law.
This doesn’t mean that legitimate security concerns should be ignored, but the risk for banks like PNC is that if they take drastic actions that inconvenience customers who want to use the services of fintechs like Venmo, customers will blame them and it could even lead to customer attrition.