Online finance tools that help people manage everything from investing and saving to paying off debt are increasingly being cut adrift by banks, leaving users in limbo.
The banks say the cutoff of financial data flowing to the apps and websites is caused by security upgrades required to keep hackers at bay, but some industry watchers suspect the motive may have more to do with the bankers’ bottom lines.
Bank of America is reportedly the latest institution to temporarily cut off data to aggregator sites, according to a report this week in the Wall Street Journal.
But it certainly wasn’t the first. Users of online budgeting tool Mint.com, a pioneer in the financial technology industry, have repeatedly complained on the site’s online support forums in recent months about denied access to Wells Fargo and J.P. Morgan Chase accounts.
The industry, often referred to as “fin-tech,” is growing fast. Mint.com attracted 1.5 million users in just two years after launching in 2007 before being acquired by Intuit for $170 million.
Now there are a host of online finance tools and apps that help people manage a variety of financial transactions. Most aggregate banking information, which means customers fork over their login credentials for their checking and savings accounts so that the services can pull and parse their data.
The problem occurs when banks implement new security measures that prevent these sites from accessing customers’ information, forcing users to either use the banks’ online services to review their finances or remain in the dark until the issue is resolved.
Jason Menke, a spokesman for Wells Fargo, said there is nothing nefarious about the service interruptions.
“This has a tendency to get lumped in as an effort by the industry,” he said. “We did not take any action that would actively restrict the access of our customers to their financial information. There was never any direct attempt to restrict or block data from Wells Fargo.”
Menke said Wells Fargo frequently implements new security measures to protect customer information. Those upgrades aren’t intended to block access by the fin-tech services, he said, but sometimes cause compatibility problems. In some cases, customers can resolve the issue by simply verifying their credentials, he said.
But some banks have cited security concerns with financial data aggregators, which also draw data from brokerage accounts, online payment services like PayPal and other financial services. Some even discourage their customers from using these financial portals to begin with. Chase, for example, warns customers that they could be putting their “money at risk” by giving banking credentials to these services.
“Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes,” the site’s security center reads. “But if you're giving them your Chase.com user ID and password, you could be responsible for money you might lose as a result.”
But experts say such warnings are off base. Federal banking rules known as Regulation E sharply limit customers' liability for unauthorized electronic transactions from their accounts, provided they report the fraud promptly.
“Regulation E gives you the right to contest unauthorized charges taken from your bank account,” said Lauren Saunders, associate director of the National Consumer Law Center. “While it's important to safeguard your account, you do not lose your right to contest unauthorized charges even if you were negligent, such as by writing your PIN number on your debit card.”
Chase did not respond to a request for comment from NBC News.
But Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association, said in a statement that banks have a responsibility to protect consumers' data and that extends to third-party service providers.
“The bottom line is security," he said. "We want to ensure that companies that provide these services are as secure as the bank to best protect our customers.”
Some critics argue, however, that the banks’ security concerns are nothing more than an attempt to force customers to use their own online financial tools.
“The retail financial industry is sort of coming to a point that ‘adapt or become a dinosaur’ is truer than ever,” said Ramya Joseph, a former trader and analyst at Goldman Sachs who founded the soon-to-launch personal finance startup Pefin.com. “Services are changing rapidly. It’s maybe natural that banks would use tactics or regulatory practices to prevent customers for using those services.”
Personal Capital, for example, offers users with a net worth of $100,000 or more free financial advisory services, which could undercut paid services offered by banks.
Cliff Canan, Founder and CEO of Nooch, a startup that allows users to electronically exchange money, said banks also are worried about maintaining customer loyalty.
“Banks are threatened because they have always ‘owned’ the customer,” Canan said. “Everything in a person's financial life has always been run through a bank: credit cards, household bills, ATMs, paper checks, mortgages. ... So now new services that specialize in doing just one of those things really well are chipping away at every front. Even when the banks aren't losing revenue directly, they are losing ‘touch’ with a customer.”
Another concern that may lead banks to limit access to some online financial services is that many free fin-tech services also present users with specific offers that are essentially advertisements for a rival bank.
“Banks want to control the interaction with their customers and don't want other companies to have access to sell competitors' products or harvest the customers' data,” said Saunders, the National Consumer Law Center official.
Mint.com declined to comment on the limited access issue, but said in a statement that it stands by its commitment to uphold security measures. The company said it uses bank-level security to protect customer data, so if consumers feel banking online, they also can be comfortable using Mint.
“Delivering secure and seamless connectivity is a shared priority across Mint and thousands of our financial institution partners,” said Mint representative Holly Perez. “We continuously work with them to ensure we deliver a great customer experience. This includes upholding our rigorous data stewardship and privacy policies.”
Other sites say they, too, employ cutting-edge security measures to safeguard data.
Nooch, for example, says it uses government-grade data encryption.
Still, banks continue to express concern over aggregator site security. The Wall Street Journal reported in its story that J.P. Morgan’s Chief Executive Jamie Dimon met last week with Consumer Financial Protection Bureau chief Richard Cordray to discuss the issues with aggregators.
It also reported that the Financial Services Information Sharing and Analysis Center is working to establish security guidelines for these services to follow. A spokesman for the group told NBC News that it is working with other industry groups to develop “information sharing best practices,” not security guidelines specifically for third-party aggregators.
In any case, operators of some third-party personal finance sites say that banks should get their own houses in order in terms of security.
“There’s a bit of irony here,” said Joseph. “Banks are saying, ‘you’re not secure enough.’ But banks have been involved in some pretty big security issues. And third party aggregators? They’re tech firms. They haven’t been breached. It could affect us, but I think we’re all getting much smarter about security.”