When Customers Invite Third-Party Risk

The first rule of passwords is you’re not supposed to share your passwords with anyone.

But in a world where consumers are often willing to trade privacy for convenience, even banking passwords are no longer sacrosanct—and the largest bank in America has announced that enough is enough.

Earlier this month JPMorgan Chase made headlines for announcing plans to prohibit outside apps from screen scraping, the practice of using customer usernames and passwords to login and collect financial data. Instead it will allow authorized apps to access data through the bank’s application programming interface (API), which will tokenize data so that customer passwords and logins aren’t shared.

Why did JPMorgan make this decision? It wanted to control the risk. Let’s take a look at some of the risks the bank likely considered.

Not Your Traditional Third-Party Risk

When we talk about third-party risk in banking, the discussion normally centers on third-parties contractually bound to a financial institution. Financial regulatory agencies have provided extensive guidance on identifying, measuring, monitoring and controlling risk when outsourcing to third-party vendors, and smart financial institutions have spent the past decade ensuring they have good vendor management programs in place. This ensures there are controls to limit the risk an FI and its customers or members are exposed to.

But customers are capable of introducing a third party into their banking relationship. Millions of consumers have shared their banking passwords with financial management apps like Venmo, Mint (a free budgeting app), and Acorns (a micro-investing and robo- investing app) so that the apps can access the data needed to help the consumer manage finances.

Unlike an FI that engages in thorough vendor due diligence and monitoring, consumers tend not to understand the risks. As many as 80 percent of users don’t realize that third-party personal finance management apps might store their login credentials or that the apps might use third parties to access their financial information (introducing fourth-party risk), according to a recent survey by The Clearing House. Just 21 percent are aware that their data will be accessible to the app until they specifically revoke access. This may be because less than 20 percent read the terms and conditions and only 11 percent understand what they mean.

FIs like BofA, Chase, Citi, and Wells Fargo have tried to solve this problem by offering customers dashboards that allow customers to decide what information it is willing to share with each app or even revoke app access, Consumer Reports has noted, but that still requires customers to be proactive.

While JPMorgan can’t control who consumers give their login credentials to, it can control who logs into its platform. By switching to an API-based approach to data access, the bank can move from a model where consumers allow unvetted parties to access their financial information to one where the bank creates agreements with vendors that enable it to control risk. JPMorgan already has similar relationships with Plaid and Intuit.

Compliance risk. Data security and privacy laws—and the fines for violating them—continue to proliferate, from a growing patchwork of state regulations, including the California Consumer Privacy Act, to GLBA and GDPR. It’s unclear how a regulator would respond if a third-party app experienced a data breach that exposed your customers’ data, but the argument could be made that your institution was aware of the outside access and had a responsibility to ensure it was authorized and authenticated.

Cyber risk. It’s bad enough when customer’s account and personal information are exposed in a data breach. It’s a whole other issue if usernames and passwords are released. A third-party app with no relationship to your institution provides no assurances that it (or its third-party vendors) have appropriate cybersecurity controls in place and has no responsibility to disclose the breach directly to you.

It’s not just a theoretical question. NCR briefly blocked Mint and QuickBooks from accessing one of its platforms late last year due to concerns that hackers were somehow using their information to access and drain accounts, Krebs on Security reported.

Operational risk. Frequent third-party logins to scrape data can tax FI systems.

Fraud risk. Would your institution realize it if stolen information was used to access accounts and engage in fraudulent activity? Would your institution end up eating the costs related to any fraudulent activities?

Reputation risk. Consumers may not realize just how much information access third-party apps have, but when they find out they aren’t happy. The Clearing House’s survey found 68 percent of respondents were “uncomfortable with the apps’ level of access” when it was explained to them. That means when something goes wrong, they probably won’t understand it’s the app’s fault. They’ll assume your FI is at fault.

There can also be backlash if an FI blocks third-party apps entirely. PNC Bank found itself at the center of a Twitterstorm when customers had difficulty connecting to Venmo and the bank suggested that customers use bank-owned Zelle instead, The Wall Street Journal reported. Conspiracy theories about the bank trying to push out the competition and forcing customers to use its own service soon followed.

The Takeaway

When you consider the risks, it is easy to see why JPMorgan Chase is cutting off third-party login access. It’s another instance where fintech innovation has outpaced regulation, leaving FIs with the responsibility to manage a new risk created by an unregulated party.

Risk management, including careful risk assessments and controls, will continue to be an FI’s best defense while waiting for fintech regulation to catch up. Make sure your FI’s risk and vendor management platforms have the structure and tools to recognize and assess the risks presented by fintech partnerships—including those initiated by consumers.

How to Model Risk into Your Vendor Management Program