“We advise all of our customers not to share their credentials,” said Imran Haider, head of Wells Fargo & Co.’s API channel known as Gateway. “If you’re sharing your credentials with another provider, it then becomes that provider’s responsibility to secure and maintain those credentials. It’s not a viable model, and why we prefer using APIs for data-sharing transactions.”
Kesserwani said the bank that threatened to block Cushion urged him to instead rely on a middleman the lender had vetted and approved to use its API. But he was concerned that would prevent Cushion from fighting fees on behalf of its tens of thousands of users. He’s now in talks with a number of banks, seeking to strike some kind of partnership.
APIs aren’t new. For years, they’ve allowed a universe of accountants, tax preparers and loyalty programs to plug into account data and provide services to customers. Some apps are signing up, but others are objecting. They complain about APIs that offer too little, too slowly. And they argue that customers – not banks – are the rightful owners of financial data and can decide how to share.
Some apps that balk instead try to mask their IP addresses, engaging in a digital game of cat and mouse with banks.
To access account records directly, apps typically start by asking customers for their bank username and password. They then log on and gather information through a process known as screen scraping. Banks say that strains their systems, often amounting to more than half the traffic on their websites.
Reaching Truce
With nearly 11,000 banks and credit unions in the U.S., many startups can’t afford to build and maintain web-scraping tools to access all of them, so they rely on middlemen. Those data aggregators can represent thousands of fintechs, giving them some clout when negotiating with banks.
One of the biggest, Plaid, has repeatedly butted heads with lenders. Last year, consumers assailed Capital One on social media after a technology upgrade to improve security limited Plaid’s ability to tap into account information. That left customers temporarily unable to use popular apps from Acorns Advisers LLC, PayPal Holdings Inc.’s Venmo and Robinhood Financial LLC.
By October, it appeared a truce was at hand between some banks and apps. That month, JPMorgan said it had inked a data-sharing agreement with Plaid. Yet tucked inside the announcement was a warning to others: JPMorgan would begin blocking high-volume traffic from servers it doesn’t recognize and can’t validate, a process known as blacklisting.
It was the first public acknowledgement by any major U.S. lender that banks were no longer asking startups to be open about the way they extract data. They were telling them.