The Passing of the Screen Scraping Baton

The FinTech world is buzzing with news of Plaid buying Quovo. Hats off to Quovo’s founder, Lowell, who’s built an excellent reputation in the industry for innovation, professionalism and proprietary technology to enable screen scraping. We’ve received over a dozen inquiries from partners, investors and prognosticators on what the deal means, and, while we have no insider information, we have a few thoughts given our earlier blog series on screen scraping.

There are a few lenses to look at this deal as it relates to what it means to the FinTech space and why it makes sense. We’re going to break it down based on three factors: market structure drivers, systemic reasons and direct reasons.  

Market Structure Drivers

The FinTech world is embracing APIs as the most effective way to interact between institutions, apps and developers — as PSD2 in Europe leads the way. Asian countries are already adopting API protocols. However, since the US has not developed a standard or unified protocol, we can expect more jockeying between screen scrapers and financial institutions, as we saw earlier this year with Plaid & CapitalOne. As long as the US doesn’t mandate standards, screen scraping companies are going to look to gain greater scale and leverage against the more fragmented financial institutions (when’s the last time you saw Citi, JPMorgan, Fidelity & Schwab join forces to protect customer data?).

With 40-70% of FIs website traffic coming from screen scraping companies providing access to Personal Financial Management apps like Mint, FIs have finally woken up to the need to provide secure, controlled access to their products in an increasingly unbundled and distributed world.  FIs are going to require customers to use oAuth to ensure proper security and controls, but traditional US screen scraping companies don’t look favorably on oAuth due to the user experience. The Plaid/CapitalOne battle was a preview of things to come between screen scrapers and Fis, requiring scrapers to go through the front door, not the back.  

Systemic Reasons

If you’re in the screen scraping business and do a value chain analysis, you want to own your own destiny and technology. Screen scrapers exist for a simple reason: to make it easy for FinTechs to enable their clients or customers to aggregate their data in one spot. The screen scrapers create simple and easy to use APIs that customers can integrate and these APIs use screen scraping technology behind the scenes. The technology learns the layout, data formatting and access placements for thousands of FIs, which allows the scrapers to easily enable customers to share their credentials in order to gain entry into the FI. The FI is not a party to this access, it’s a back door. Not all screen scraping companies do this themselves. Quovo did it with robust and secure technology, as do Yodlee and Finicity who often provide their technology to other screen scraping companies like Plaid and MX.    

Data security couldn’t be more paramount to FIs. As much as customers like to demonize banks, banks have done a lot more to protect customer information than big Silicon Valley tech companies. If your user name and password were breached by a portal, hotel company or social network in the last year, it’s likely that the user name and password combination was sold on the dark web. Bad actors on the dark web then run scripts testing your credentials against FIs to get access to your funds. And, while the Fis are proactively monitoring their front door, what many have found is that the bad actors run the scripts via sites using screen scraping to identify vulnerable accounts via the back door. Herein lies the rub. Screen scrapers don’t want to put speed bumps into the user journey, but FIs are requiring oAuth through the front door.  Something has to give, and hopefully it won’t be caused by a breach of your financial information.

Direct Reasons

Plaid and Quovo were direct competitors with similar offerings which could lead to downward pressure on prices. Consolidation will likely allow the combined entity to test price elasticity. Yodlee was the Grand Daddy of screen scraping. Early on, Yodlee bought Vertical One for customers, pricing power and leverage. Yodlee is now owned by Envestnet who has publicly stated that they’ve been focused on making the acquisition pay, meaning they’re increasing prices.

Plaid stated that Quovo’s offering in the wealth space was a driving force for the acquisition.  Yodlee and Morningstar® ByAllAccountsSM have a solid grip on the wealth space, however a combined Plaid/Quovo could result in a greater penetration. And, it doesn’t hurt that Quovo’s founder hails from a storied wealth management lineage, adding to his wealth sector cred.  

Finally, the brands of Plaid and Quovo resonate differently in the broader financial space. Plaid is loved by Silicon Valley FinTechs and Quovo is well-regarded by the established FIs.

In sum, while the financial terms are not readily available, the strategic fit of Plaid and Quovo makes sense — leverage, scale, reputation and technology. Just as Yodlee’s founder stepped away last week from leading his company, the baton (and screen scraping team captain) is now with Plaid’s leadership — run fast and innovate often.

Screen Scraping’s SODA Framework Explained

SODA

Recently, Yodlee, Quovo and Morningstar announced that they were launching a joint initiative “…to enable secure, open data access for consumers in regard to their financial data.”  They’ve created the Secure Open Data Access (SODA) framework, a set of consumer-centric principles for data access and financial data security to promote transparency, traceability, and accountability in the financial services ecosystem.

We’ve done a lot of talking lately about open data and why it’s so important for consumers and businesses. This ranges from allowing for increased innovation to the importance of APIsLet’s dissect what this announcement doesn’t say:

SODA Broken Down

“To ensure that the aggregator bread-and-butter business isn’t scuttled completely, or at the very least taxed into oblivion by the banks, aggregators are stealing a march by positioning themselves as consumer advocates.” – Drew Sievers, CEO of Trizic Inc.

1) Mention of Financial Institutions

How can you protect data or open it up without partnering with the very people who provide the customer info in the first place? What we do know about this deal is that there’s no clarity on where the data goes, no clarity on how to control users’ access from the FI side via these three companies and no comparison to PSD2. The bank’s data is what the aggregators are mishandling, either intentionally or unintentionally.

2) APIs Not Included

The three SODA aggregators don’t say that they will no longer screen scrape. They have positioned themselves to appear on the side of the consumer while stopping short of adopting more secure methods of data sharing like APIs. They also criticize the government for a lack of clarity but suspiciously stop short of advocating for new legislation that would most likely restrict their operations. “The move is partly a response to other industry proposals that the SODA framework developers see as too restrictive.”

3) Data Resale

The framework benefits a data aggregator company that makes money on selling the technology. Yodlee has taken heat on reselling anonymized data to investors and others. But they say the framework is designed to put the consumers’ needs first.

The sale of this data is one of the big areas of interest among hedge funds. Many are interested in non-traditional data sets, and consumer portfolios/activity is one of those data sets that’s viewed as interesting data to hedge funds. With all the money available for data, it’s hard to believe they are going to leave those chips on the table and walk away.

4) Plaid and Finicity

The two missing players are smaller than the others but also used widely and screen scrape the same universe of financial institutions. “SODA’s purpose is to consolidate Yodlee et al.’s position and ward off the threat of large banks stepping in and regulating the market themselves, since it is more often than not banks’ data that’s used,” says Sievers. If this is true, why not include all the aggregators? Are Plaid and Finicity being excluded for being too small? They do the same thing and use data the same way. So why were they left out? Plaid has declined to comment on this announcement citing a lack of expertise regarding Yodlee, but it does make you wonder.

Where’s the beef?

Essentially, there’s not much here. There’s no clear benefit to the investor and the protection of their data and there’s no clear benefit in terms of security.

APIs are the big missing piece in all of this and what’s really needed above and beyond these “made up” frameworks. APIs give everyone more control, allowing FIs to benefit the users and truly keep their information secure and protected.

In Europe, the Europeans believe they own their own data, but that’s not true in the US. This is the mind shift that needs to happen to give people more control of their data and in turn, their privacy. No acronyms needed.

A Letter to Regulators

Over the past few weeks, we covered the data battles taking place in fintech. As the CFPB deliberates on whether to defend data aggregation, we urge them to remember their mission to “empower consumers to take more control over their economic lives.” To grant data ownerships to banks, rather than consumers, would represent a stark failure of the CFPB to deliver on this mission.

We encourage anyone who cares about their data to write the CFPB at the email address below.  As Plaid, Yodlee, and other tech innovators have argued, continuing to innovate in fintech relies on customer data ownership. Here is the letter we sent to regulators:

REF.png

Aggregation Wars, Part 4: Europe

Across the pond, EU regulators are building a secure consumer-oriented financial ecosystem. To stay relevant as a global innovator, regulators in the United States act fast in doing the same.

Last January, European regulators passed the PSD2 law, which grants ownership of account data to the bank customer rather than the bank. Under PSD2, financial institutions will be required to provide free access to their customers’ accounts to any third party that the customer authorizes.

The Customer is Always Right

Consumers win under PSD2, because it encourages competition in the digital financial product space. Instead of being forced to use their banks’ clunky services, Europeans can sign up for any sleek new service, then authorize it to connect to their bank. This new and open market has tech companies building products that are better functioning, customizable, and more mobile-friendly than the existing products offered by banks.

1-krsf9so2iirwe1wh0zshga

PSD2 in GIF format, source: Medium

Smarter, Simpler Regulations

In the United States, regulators are still years behind their European counterparts. The challenge lies in crafting laws that remain relevant as the technology evolves over time. To avoid over-regulating the industry and creating never-ending work for themselves, US regulators should build a framework of principles and “best practices” for the industry. Without micromanaging the details, they must foster:

  • Ease of Connectivity: the adoption of a universal financial “language” that makes it easy for banks, customers, and fintech companies to share data using the same protocol
  • Safety: Security standards that prevent unauthorized parties from accessing customer data
  • Consumer Protection: Acceptable use of customer information and disclosures

Acting Fast

It is time regulators take a stance in this debate with simple, forward-facing legislation. If Silicon Valley and New York are to remain competitive as fintech hubs, they need legislation that remains relevant as the fintech sector continues to evolve.

Aggregation Wars, Part 3: The Opposition

In last week’s episode of Aggregation Wars, we covered the big banks’ lobbying effort to stop aggregation. This week, we profile the fintech companies who are fighting for aggregation and for the consumer’s right to access their financial data.

FinTech companies are forming an opposition party in the battle over aggregation. Some are familiar, and others are behind-the-scenes. Here’s who’s defending your data ownership:

The Companies You Know

digit-account-and-text-610x591Mint, Acorns, Digit, Kabbage, Betterment. These fintech companies offer direct-to-consumer financial products like robo-advised brokerage accounts, automated savings tools, and loan-refinancing platforms. Some of these companies are financial institutions of their own while others, like Digit, are not. None of them compete directly with banks, but all of them require access to your banking data. For example, Digit analyzes your spending habits to help you save for custom goals like a vacation. Without open access to customer banking data, these tools could not exist.

The Companies Backstage

7394dd_3b3664e7ac814efd8e5bc9aa70cdf71e.pngBehind each of these shiny new apps, there is a network of technology providers who build “pipes” that connect to financial institutions: Yodlee, Plaid, Quovo, Intuit. Without stable, secure API connections to the big banks, these aggregation technology providers are stuck using more primitive (and less secure) screen-scraping technologies to grab user data. Clearly, these companies want open access to consumer financial information.

Joining Forces

The FinTechs you know and the ones you don’t are joining forces to fight for consumer data access. This month, they formed the CFDR, or the Consumer Financial Data Rights Group. The group’s goal is to convince the CFPB that secure data access is a win for all parties: FinTechs, banks, and consumers. More broadly, the group supports collaboration between banks, regulators, and FinTechs that will help them align around common goals: building a secure financial ecosystem that benefits and protects the consumer.

While “FinTech” might yield visions of nimble, garage-style startups, there is big money behind these growing companies: global FinTech investment reached $22 Billion in 2016, and that’s from Venture Capital alone. Still, it’s nothing compared to the deep pockets of the big banks. Hopefully, the CFPB will realize the potential of free-market competition for financial products, and the FinTech Industry’s suggestions will be received well.

What’s next?

The CFPB will continue to accept letters while it weighs the pros and cons of open access to financial data. As you read this, the ABA is working to discourage aggregation practices, and the FinTech-backed CFDR is working to improve them. You have until February 14th to contribute.

Next Up: Europe and Beyond

In the next installment of Aggregation Wars, we look take a look at the open API initiatives in Europe, The UK, Singapore. If the US is to remain competitive on the global fintech front, we will need to catch up to these countries with consumer-first regulations that encourage innovation, put security first, and lay the tracks for a more inclusive, consumer-friendly financial services architecture.

Aggregation Wars: Part 2, Bank Backlash

The Pandora’s Box of customer banking data has already burst open with the popularity of third-party financial products. Still, banks are doing all they can to restrict their customers from accessing their own data. What gives?

Aggregation has become a flashpoint between hundred year old banks, the CFPB and customers. In the first installment of this series, we looked at the history of aggregation technology, and its improvements since the first dot-com boom. This post explores the banking industry’s opposition to aggregation, and provides a path forward for US regulators.

New Enemy, Same Tactics

This year, the American Banking Association came out against aggregation technology, citing the same concerns and scare tactics they have relied on for twenty years. Today, aggregation technology is exponentially more reliable and secure than it was in the late 1990s. While the enemy has evolved, the banks are still using the same plan of attack.

In 2001, the OCC issued a “Guidance Memo” to banks that listed five risks posed by aggregation:

  • Strategic Risk
  • Reputation Risk
  • Transaction Risk
  • Compliance Risk
  • Security Risk

Since then, several of these concerns have been made obsolete by technological advancements. Others proved to be illegitimate in the first place. Regardless, the ABA’s latest arguments revolve around the same old concerns of “data usage” and “security.” In his 2015 shareholder letter, Jamie Dimon dedicated significant air time to criticize aggregators, and took direct action by cutting off JP Morgan’s customers from using Mint.com. While the security concerns are exaggerated, the rising popularity of PFM tools means that they are racking up significant server costs for the banks. In other words, JP Morgan doesn’t want to pay to import its customers’ data to Mint.com.

Enter the Regulators

The CFPB is a government watchdog set up to “make consumer financial markets work for consumers.” In November 2016, they held a field hearing in Utah to spark a public debate over aggregation. While the hearing made room for a healthy debate, it has opened the floodgates to banking industry lobbyists and the influential American Bankers Association, which continues to fight against aggregation.

If the CFPB plans to keep their promise to protect consumers, they should weigh popular consumer opinion against the lobbying effort of the big banks. In 2016, over 70% of customers trust the top tech companies more than their banks. A fair ruling will incorporate changing user behaviors and advancing technologies into its decision. Got an opinion? You can submit letters to the CFPB by February 14th, 2017.

Towards a Working Regulatory Framework

As it moves towards establishing new laws, the CFPB should stick to principles-based best practices that will remain relevant as the technology, and the debate over data ownership, continue to evolve. In particular, the industry will benefit from guidance around:

  • API Framework: Financial Institutions should identify 1-3 “Approved Vendors” to build and manage their APIs. The financial sector can trim inefficiencies using a standardized protocol for data, just as the healthcare sector has over the past ten years.
  • Customer Control Center: It must be easy for consumers to manage where their data is flowing. Banks should be required to provide a clear dashboard of all third-parties who are plugged in. This way, consumers can unlink their accounts from products they no longer use, keeping their data under control.
  • Re-examine OFX: As we mentioned in the first in this series, Intuit and Microsoft developed the OFX to avoid the Aggregation Wars.  Is now the time to re-examine a protocol that banks can support for distribution?

In our next installment of this series, we will take a closer look at the European regulations, and the lessons the US can learn looking forward.