Consumers Get More Control Over the Banking Data Shared With Financial Apps
Some banks are adopting new technology to discourage 'screen scraping' and protect customers' information
Budgeting apps and online services can help consumers manage their finances, but they may also vacuum up lots of personal data from bank accounts, which could compromise privacy and lead to security risks. Banks have begun giving their customers tools to safely connect to these apps and control what data is shared.
Bank of America, Chase, Citi, and Wells Fargo have created dashboards to let customers decide what information to share, and experts say more consumers should use them. For example, you may want to provide your checking and credit card balances to a budgeting app but not the details of your mortgage.
Consumers can also use these dashboards to rescind an app’s access to their account. (The controls aren’t always easy to find; we tell you how to locate them, below.)
To use many budgeting apps, you need to provide the usernames and passwords for your bank accounts. Depending on the technology used, that can allow the app to pull any data it wants from your account in a process called “screen scraping.”
“You don’t know what information they’re accessing, who they’re sharing it with, or how long they’re going to keep accessing your account,” says Lauren Saunders, associate director of the National Consumer Law Center, an advocacy group. “A lot of people sign up for financial apps, they try them once or twice, and they forget about them. They don’t realize that these companies are out there for years gathering their data.”
Fixes Are Coming
It’s not a good idea to grant any outside company full access to your financial information if you can help it. The solution, security and financial experts say, is for financial technology, or fintech, apps and banks to modernize the way they share information.
An effort to do that is being led by the Financial Data Exchange (FDX), a nonprofit organization founded in 2018 whose members encompass banks, credit unions, financial app developers, and consumer advocacy groups including Consumer Reports.
FDX is pushing for the broad adoption of standard APIs (application programming interfaces) for personal finance services. APIs, whether they’re for Google Maps or social media platforms, have long been the standard way for a company to give app or website developers limited, tightly controlled access to a database.
“It’s ridiculous that all apps haven’t been required to use a reliable, modern API framework—or even a handful of them—for such a sensitive level of access,” says Robert Richter, who leads privacy and security testing at Consumer Reports.
With the new systems, you still need to provide your log-in credentials the first time you use a budgeting app, but the app company does not store the credentials. Instead, the information is patched through to the bank itself. One benefit of the new system is that it allows banks to see which apps you are using and give you control of the data flowing to them.
Chase’s dashboard is one feature in a broader customer control center called AccountSafe. “It gives customers the ability not just to revoke apps access but also to limit which account they want to share,” says Paul LaRusso, Chase’s managing director of digital platforms. “This platform enables you to share your information without having to share your username and password, and gives you control if, for example, you want to share your checking account information or your credit card information, but not your investment account or home loan data.”
LaRusso says Chase currently has an agreement to securely share customer data with Finicity; Plaid; and Intuit, the owner of Mint, the accounting software QuickBooks, and tax preparation software TurboTax.
Plaid offers services to facilitate banks’ communications with other app developers, including Venmo, the real-time payment app, and Acorns, an investment app that rounds up your purchases to the nearest dollar and applies the leftover change to savings, investments, or account repayments.
Chase is working on finalizing agreements with more apps, LaRusso says.
Consumer advocates applaud the shift we’ve been describing but say they’d like people to have even more control over their data.
“It’s a step in the right direction,” says Christina Tetreault, Consumer Reports’ financial policy counsel. “It solves the risks inherent in sharing log-in credentials. However, from what I have seen, banks and fintechs can do more to protect consumer privacy.”
In particular, she says banks and financial app developers should be more transparent about all the kinds of data they collect, beyond simple transactions and balances, and how it can be used.
Additionally, not all apps have agreements with the banks or intermediaries like Plaid, so an app you use may still have broad access to your account data and fail to appear on the banking dashboard.
There’s no easy way to determine ahead of time whether your bank and a particular financial app have an agreement to use an API for transferring data. You need to sign up, then check your bank’s dashboard if it has one.
Financial app companies contacted by Consumer Reports say they are happy to move beyond screen scraping. When a bank makes software changes, the app’s connection gets severed, causing frustration to app users, says George Anderson, CEO and founder of Ninth Wave, a firm that works with leading banks and technology companies in the development of emerging information systems.
“This is a journey” says Ben Soccorsy, senior vice president of digital payments at Wells Fargo. “It’s going to take time and energy to move us in the direction that we all agree is a better API-based approach.”
Wells Fargo launched its dashboard, called Control Tower, last year. Currently it has agreements with 15 major fintech companies, including Intuit. Last month the bank signed a major deal with Plaid.
“As we get more players like Plaid brought into the platform, the robustness of the controls, and the Control Tower just increases,” Soccorsy says. “Together we will give more controls to our shared customers.”
How to Find the Dashboards
Consumer advocates and financial experts recommend that anyone who uses a financial app, or has signed up for one in the past, check their banks to see what data these companies have access to. Be conservative with what access you are providing—less is more when it comes to sharing details about your financial life. And remember, if an app doesn’t appear on the dashboard, it could still be connecting to your account, just not through an API.
Bank of America
From the home page, click on the “Help and Support” drop-down. > Select “Security Center.” > Click on “Third-Party Site Access” tab. > To revoke an app’s access, click on “Revoke.”
On Chase.com home page, click on the hamburger menu (the three horizontal lines in the upper-left corner) to show the Main Menu. Then, click on “Profile and Settings” > “AccountSafe” > “Linked apps and websites”. A list of apps will be displayed. On an app you want to adjust, click on the caret (🔽) to open the full menu. Here you can manage your sharing settings or click on the “stop sharing account info” link.
Log into Citibank Online, then go to “Profile” > “More Settings” > “Apps with Account Access.” From here you can choose to remove or modify access for any linked account.
From the Wells Fargo home page, hover over “Banking and Credit Cards” to reveal the drop-down menu. > Click on “Control Tower.” > Click on “Monitor Data Sharing.” > Select accounts from which you want to control data sharing.
Correction: An earlier version of this article described Plaid as an app. The company does not have a mobile product for consumers. It describes itself as "a platform that enables developers to connect to user-permissioned data in financial accounts." In addition, we have added information on how Citi customers can access their dashboard.