JPMorgan Chase to ban fintechs from accessing customer passwords

Dive Brief:

JPMorgan Chase will ban third-party apps from accessing customer passwords, Bill Wallace, the bank's head of digital, said Thursday.
The U.S.'s largest bank plans to issue tokens for access to a limited amount of data in a secure form, and is also working toward getting customers' passwords "out of the system," Wallace said.
Aggregator Yodlee is the first company to agree to use tokens for all of its interactions with the bank, and data aggregator Plaid has signed up to start using tokens, according to the Financial Times.

Dive Insight:

As bank-fintech partnerships become widespread in the industry, the privacy risks associated with third-party platforms are causing banks to reevaluate their security.

JPMorgan Chase CEO Jamie Dimon first warned about the risks of data sharing in a shareholder letter in 2016.

"Many third parties sell or trade information in a way customers may not understand, and the third parties, quite often, are doing it for their own economic benefit — not for the customer's," he wrote. "Often, this is being done on a daily basis for years after the customer signed up for the services, which they may no longer be using."

JPMorgan Chase has not set a target date for eradicating password-based access, Wallace said, adding he did not think the decision would prevent customer engagement through some apps. He also said the decision was not aimed at deterring customers from moving to new platforms.

"I think it's the opposite of that. It's enabling people … to get their data where they need it," he told the Financial Times.

PNC Financial Services Group said last month that it started blocking aggregators from gaining access to customers' account numbers and routing numbers after it identified "multiple different aggregators" attempting to circumvent the bank's security protocol.

A security upgrade at the bank prevented some customers from connecting their bank accounts to the peer-to-peer (P2P) payment platform Venmo.

The upgrade prevented Plaid from accessing information it uses to facilitate transactions between fintechs and financial institutions.

When customers took to Twitter to complain, PNC directed customers to Zelle, a payment platform owned by a consortium of the country's largest banks, including PNC.

"When aggregators access account numbers, many store them indefinitely, often unbeknownst to customers," Karen Larrimer, head of retail banking and chief customer officer at PNC, told The Wall Street Journal. "This puts customers and their money at risk. We want to make sure we know who is setting up the account."

PNC said it asked Plaid and other aggregators to make changes to their own systems to meet the bank's security requirements. Plaid said it had already worked with the bank to provide requested system updates.