JP Morgan vs fintechs: Who really owns your data?
JP Morgan gave fintech firms a choice: abide by data access rules or get out. Should any of us be surprised?
A few weeks ago, JP Morgan Chase delivered an ultimatum to fintech firms that want to access its customers’ data: abide by their API standards or get locked out by the end of July.
Essentially, it’s the middle finger from a bank that isn’t afraid to let its size do the talking. After all, what are the firms affected going to do? Not serve the customers of America’s largest retail bank?
In truth, we probably should have seen this on the horizon. Banks and fintech firms have been squabbling over this issue for quite a while – PNC locked out Plaid and Venmo just two months ago, following Capital One’s lead from 2018. Dig far enough back and I’m sure you’ll start to see similar headlines about Yodlee.
But JP Morgan Chase has been particularly hawkish. In 2016, CEO Jamie Dimon warned fintech firms to expect data restrictions; the bank threatened to shut out Quicken and Quickbooks a year before that.
The decision may have been a long time coming, but JP Morgan’s size, combined with the complete lack of open banking initiatives stateside, make it significant all the same. In a sense, this sets a precedent for the entire industry, defining who owns what data going forward.
Filling a regulatory vacuum
There’s an underlying problem with customer data in the US: regulatory guidance is practically non-existent. We don’t have General Data Protection Regulation (GDPR). We’re nowhere close to having something like the Second Payment Services Directive (PSD2). New York Senator Kirsten Gillibrand just introduced a bill to create a Data Protection Agency, but the fact that this hasn’t happened before now speaks volumes about the US’s data regulation difficulties.
No one is telling banks the minimum amount of data they need to provide, how it should be accessed, or which tokens should be used.
So, what happens when you have a regulatory vacuum like this? Naturally, the four massive banks that control 45% of deposits are going to rush in to fill it. Or in this case, one bank that has $2.53 trillion in total assets.
JP Morgan is too big to ignore. In banking, the fleet moves around the carrier, and JP Morgan is that carrier. It’s unlikely that other banks will adopt its exact methods but expect them to follow its lead in the near future.
Aggregators are about to get a lot more important
What does this mean for aggregators and API developers such as Plaid or Yodlee?
For that first company, probably very little. Plaid has already agreed to JP Morgan’s terms. Its recent acquisition by Visa also puts it in an interesting position: if fintech firms want to access customer data, they’re going to have to work with Visa in some capacity. It’s keyholder to that data, and Plaid is now the key.
Don’t be surprised, then, if a string of aggregator acquisitions follows this news. Yodlee, MX Technologies – each of them could be a target for a provider like Mastercard.
This could be one route to standardisation: fintech firms want access to customer data, and rather than building APIs for each major bank, they get in by going through a few major aggregators. After all, why would fintech start-ups go through the upkeep of maintaining the code that aligns with banks’ APIs and token requirements when another company can do it for them?
The issue here isn’t that standardisation is happening: it’s that markets are driving the process, not regulators. Letting Visa or Mastercard control access to customer data is hardly an effective approach democratising financial services, especially at a time when so much of banking is a consolidation play.
Whose data is it, anyway?
Implicitly, disputes like these always centre around one question: who ultimately owns consumer data? Does it belong to the consumer who has opened the account or the bank that holds it?
We haven’t solved this question, and we probably never will. But with a total lack of regulation, it seems like we’re not even trying to.
At the heart of the issue lies a contradictory impulse among American consumers. We would never allow a government to take sensitive information like biometric data, a la India. But if a private company like Apple wants it, we’ll hand it over willingly.
It’s that rebellious nature that ensures Americans will never follow a European model and set out clear data access rules. But that doesn’t mean our data isn’t already being harvested, or that companies don’t have a vested interest in keeping it safe. If Plaid starts compromising customer data, that’s it for its business.
So right now, the ultimate owner of customer data is still unknown. But we do know who controls access to that data, and it’s JP Morgan Chase, Visa and whoever drives the next wave of aggregator acquisitions.
By Sam Maule is the managing partner of North America at 11:FS