JP Morgan to deny fintechs data access if they don't sign new deal

JP Morgan to deny fintechs data access if they don’t sign new deal

Written by Ruby Hinchliffe
18th February 2020

JP Morgan Chase has told the fintechs and aggregators which access its customers’ data that they could be barred from using it if they do not sign a new deal which instructs them to retrieve the data in a different way, Reuters reports.

Until now, the bank’s third party provider (TPP) partners have accessed the data by using the customers’ own passwords, but now the bank has decided to move to a new method which does not use their passwords, according to “two people familiar with the matter”.

Issuing a deadline of 20 July 2020, the bank told all TPPs in a letter sent at the end of January that they will have to sign the deal if they want to continue providing their services off the back of the data. The new method of data access will be through an application progamme interface (API) connection and will grant TPPs access to limited account information.

There are some who believe even APIs are not as secure as they seem

It is understood that the change is down to JP Morgan wanting to provide a more secure way of accessing it. A spokesperson for the bank confirmed the letter was sent, and that 95% of data access requests had already been covered with agreements. But one fintech told Reuters it was “surprised” by the firmly-worded letter and strict deadline.

JP Morgan has been mulling over the idea to find an alternative method for more than four years now. “We’ve been working on this with aggregators and fintechs since 2016 because our secure API is the best way to help our customers make smart money decisions more easily and safely,” says MD of digital platforms at Chase Paul LaRusso.

“Customers can still use their favorite apps and websites while these companies migrate to our API,” LaRusso adds. As JP Morgan, the biggest bank in the US by assets, moves to an API infrastructure between itself and TPPs, it marks a shift in architecture to a model which many US banks have pushed against for fear of security vulnerabilities.

The Plaid acquisition by Visa for $5.3 billion in January saw the “plumbing” behind fintech gain real credibility by being subsumed by a major US payments player trusted by the US banks. Despite working with more than 11,000 financial institutions at the time of its acquisition, Plaid – the API builder bridging the gap between fintechs and banks – still found that banks were occasionally citing the risk of a breach as a reason why they couldn’t work with the TPP.

Moving to a more standardised approach is intended to result in a more secure environment for both banks and fintechs, which is why JP Morgan’s move to API-based data access is a big moment for America’s fintech community.

However, there are some who believe APIs are not as secure as they seem. FinTech Futures spoke to Canadian start-up Cinchy, which is trying to eliminate the replication of data in banks. CEO Dan DeMers says “even APIs create a spaghetti infrastructure” which is susceptible to security breaches because the technology still has to replicate data like the bank’s siloed, legacy systems.

The start-up takes a network-based approach, jumping one step ahead of the API wave sweeping through Europe and the US. DeMers anticipates that replicating data will one day be like replicating money – illegal.

Whether this becomes a reality, it seems security vulnerabilities will be found in whatever technology banks end up using to open up to third parties.