JPMorgan has become the first major bank to crack down on FinTech apps using customer passwords to access their bank accounts, forcing tougher security standards via token after Jamie Dimon its chief executive warned about the dangers of data-sharing.
Bill Wallace, Chase’s head of digital, told the Financial Times the bank was working towards getting customers’ passwords “out of the system” and instead issuing tokens that send third parties a narrow range of data in a secure form.
Aggregator Yodlee recently became the first company to agree to use tokens for 100% of its interactions with Chase while Goldman Sachs-backed aggregator Plaid has signed up to start using tokens to access data on behalf of the many budgeting, personal finance and other apps which use Plaid to connect to customers.
Mr Dimon, who runs America’s biggest bank, warned about the risks of the current system in a shareholder letter in 2016. “Many third parties sell or trade information in a way customers may not understand, and the third parties, quite often, are doing it for their own economic benefit — not for the customer’s,” he wrote. “Often this is being done on a daily basis for years after the customer signed up for the services, which they may no longer be using.”
By using a token instead of the customers unique password, the typical user experience would be like “Connect with Facebook” on Spotify or other services. The third-party (Plaid) would send you to the sign in page for your bank, Plaid would then receive the token transparently, and Plaid would then access the data using the token until the token expires. The token system means only customers and their bank can control access to the account for a fixed time period, specific account or further granularity, and the power to read data or charge an account.
This means that the token solves the problem of whoever knows your password has full power to do anything to your account – which could in the future be a big vulnerability.
Christina Tetreault, policy counsel for Consumer Reports, said the advocacy group’s research showed “few people” read the privacy statements they sign. “Most of the digital financial products and services . . . are take-it-or-leave-it transactions where consumers lack both meaningful notice about what is collected and where it goes,” she said.
Mr Wallace said agreements like the one with Yodlee limited “third parties to what they need to serve the customer, lets the customer know exactly what information is being used . . . and removes the need to hand over their passwords”.
The post Banks to ban FinTechs from using customer passwords by issuing tokens instead appeared first on Payments Cards & Mobile.