Financial institutions and vendors are pushing these services to verify account information. Speaking from my experience as a USA banking customer, banks used to verify accounts belong to you by placing micro-deposits into that account that you would manually confirm. It was a simple straight-forward process.
Now, more of them are partnering with these third-party account aggregation/verification services that require you to hand over your bank’s login credentials. In return, these services can maintain read access to your banking information which can include status, account information, as well as even potentially viewing your balances and transaction history.
Vendors and financial institutions are saying that these services are actually designed to improve privacy and fraud protection. I’m not quite sure how giving a third-party access to my most sensitive financial information makes my account more secure and privacy respecting…
Nevertheless, can this community provide tips for how to navigate this changing financial landscape?
For example:
- Is it better in fact to trust these services?
- Is it better to create an account with these services? They do say that creating an account can allow you to view and delete connected accounts - but I worry that just creating an account, which comes with additional terms, could be even more harmful. Deleting an account also gives little reassurance that they are deleting all the sensitive, unnecessary data they already collected.
- If you do create an account with them, are there privacy tips you suggest?
As I read often, applying privacy techniques (like aliasing) to official things such as government and banking tends to not work out well. But what about these fintech things that are not strictly banks, are not regulated to the same degree, are likely either selling/sharing your sensitive data or not keeping your sensitive data secure, but are still pushed and/or required by required official places.
As an example, Fidelity now requires customers use Finicity to connect external banks. People on social media are also talking about landlords requiring one of these services in their online portal to pay rent.
As part of this process, Finicity will share certain financial data with Fidelity, such as balances, for this and future transactions.
This is my primary concern with these services where future transactions are also shared back with Finicity.
I just tried linking a savings account and was unable to complete the process without Finicity.
After seeing this thread I attempted this process with my bank and I ran into the same issue. I called and was provided an option to complete adding a bank via mail. Took about 2 weeks.
All that to say - if you run into this with a bank you should switch. Alternatively, you could call them up and ask if an alternative process exists.
Looks like my paranoia was confirmed.
Aggregators are accessing customer data multiple times daily, even when the customer is not actively using the app,” a JPMorgan systems employee wrote last week in an internal memo to retail payments head Melissa Feldsher. “These access requests are massively taxing our systems.”
Of 1.89 billion data requests from middlemen hitting JPMorgan’s systems in June, only 13% were initiated by a customer for transactions, according to the memo, which was seen by CNBC.
The majority of data pulls, known as API calls, were for purposes ranging from helping fintech companies improve their products or prevent fraud to other efforts including harvesting data for sale, said a person with knowledge of the memo who declined to be identified amid talks between JPMorgan and the fintechs.
Even more scary:
Transactions involving money sent over electronic ACH transactions were 69% more likely to result in fraud claims if they involved data middlemen, according to the memo.
JPMorgan saw about $50 million in fraud claims from ACH transactions initiated through aggregators, a figure the bank expects to triple within 5 years, the memo said.
Plaid’s response was that they can do whatever they want and it’s dumb users fault for not reading the lengthy terms and conditions.
Plaid said in a statement to CNBC that this figure “misrepresents how data access works” because all activity begins when customers grant permission to fintech companies when they sign up for accounts. Of course, many customers don’t closely read the lengthy “Terms and Conditions” pages that contain data-sharing disclosures before opening new accounts.