- Lenders wary of security risks posed by websites like Mint
- Financial-app makers question hidden `competitive interest'
The biggest U.S. banks, alarmed by the growing use of data-hungry apps that help consumers track their finances, are offering a technological compromise.
Instead of allowing third-party aggregators such as Mint to directly access customer records, the banks would dole out information in protected data packets, using a process known as tokenization, people with knowledge of the matter said.
A token, which replaces sensitive data with a digital ID that’s only good for one transaction, would give banks control over the most sensitive data their customers share, while also allowing the sites to continue to provide the services consumers want, said the people, who asked not to be identified because the plans aren’t yet public.
Some big technology firms have their doubts.
Security concerns are important, but “cannot be an argument that masks competitive interest,” said Brian Peters, executive director of Financial Innovation Now, a lobbying group whose members include Apple Inc., Google and Intuit Inc. “Consumers already pay for their accounts and they should not be blocked from managing their financial affairs however they see fit,” he said Wednesday in an e-mail.
Mint works with financial institutions in “delivering secure and seamless connectivity,” Holly Perez, a spokeswoman for Intuit, which owns the personal-finance website, said in an e-mailed statement. She declined to comment on banks’ plans to use tokens.
“Consumers want and expect the ability to easily and accurately view all of their financial information in one place so they can make more informed financial decisions,” Perez said. “Mint is uniquely positioned to do just that. "
Customers at banks including JPMorgan Chase & Co. and Wells Fargo & Co. have complained in recent weeks about being blocked from accessing their account information through Mint. Spokesmen for both banks said the disruption was unintentional, blaming technical issues rather than security concerns.
“We often add additional layers of authentication to protect our customers’ information," said Wells Fargo’s Jason Menke. “These efforts may inadvertently impact the ability of financial aggregators to gather customer information."
The Financial Services Information Sharing & Analysis Center, an industry group that works to thwart cyber attacks, is developing guidelines for using tokens to protect customer data shared with third parties, according to President Bill Nelson. Banking trade associations are reviewing the proposals, he said.
Another key issue for the banks is cyber-security, the people said. Lenders are worried they could be held liable if the data consumers share with these websites, such as account numbers and passwords, are stolen. The sites also could provide a portal for criminals to gain access to other bank data, the people said.
The battle between banks and personal-finance websites was a topic of discussion at a New York conference this week sponsored by the Clearing House Association, a Wall Street lobbying group.
“These sites, they have the capabilities that customers want," Bank of America Corp. Chief Executive Officer Brian Moynihan said at the conference Tuesday. “On the other hand, you want to make sure the customers understand the trade when they’ve done it. It’s really a safety and soundness issue more than anything else."
A number of digital payments systems use digital tokens, including those that link to credit-card accounts, such as Apple Pay and Samsung Pay. The Clearing House is developing its own token system for non-card transactions.
A general concern about potential security risks, rather than a specific incident of hacking or fraud, led to the banks’ decision to use tokens, one of the people said. Banks also want technology companies to abide by the same rules they do and are exploring a possible campaign aimed at educating customers and regulators about the issue, another person has said.
“This is an area of significant focus for regulators -- state and federal -- right now, in terms of looking at the regulation of third-party service providers,” Margaret Liu, deputy general counsel of the conference of state bank supervisors, said in another panel discussion Tuesday.