As Banking Goes Digital, Finance Apps Are Still Too Risky

For years, Americans have been giving their banking data to financial apps such as Venmo, YNAB and Rocket Mortgage. And for years, banks have been trying to figure out how to deal with the security risks. A new proposal from the Consumer Financial Protection Bureau suggests a better way.

For customers, the ability to seamlessly share financial information with other companies has obvious benefits. So-called open banking can spur competition, both by making it easier to change providers and by encouraging innovation. Furnishing potential lenders with up-to-date information on an individual’s spending and savings can also result in better lending decisions. All told, the practice has proved broadly popular: About 100 million consumers have authorized a third party to access their account data.

Some banks resisted this trend, concerned that sensitive data like user names and passwords — and ultimately money — could be stolen. Others accepted the risks to keep their customers happy. The result was a patchwork of varying permissions and security standards. The biggest banks developed application programming interfaces, or APIs, to transfer data more securely and negotiated detailed agreements with the third parties that connect apps to the banking system. But for about half of third-party data access transactions, customers still need to share their online banking credentials, a risky practice that should be phased out. Meanwhile, banks still control the terms of data sharing — not consumers.

So the CFPB’s Oct. 19 proposal — which would mandate that banks develop APIs so that customers can share their data with other companies securely and free of charge — is mostly a welcome step. As the regulator takes feedback over the next few weeks, however, it should be open to some improvements.

First, the rule’s scope seems unnecessarily limited. Information on mortgages and auto and student loans isn’t included, for instance, even though some banks have already developed systems to share such information. Although the CFPB plans to expand the rule over time, why not encourage banks to develop APIs now to cover as many data types as they would eventually need to share?