PNC Financial has run into a media buzz saw over customer access to fintech apps they had linked to their PNC checking accounts. The Pittsburgh Post-Gazette was the first to surface a problem. “PNC Bank customers have been complaining for months on social media about suddenly not being able to connect their bank accounts to popular money transfer apps such as Venmo to pay bills, budget their finances or send money to friends,” the paper reported in late November 2019. The reason given by the bank to the Post-Gazette was a security upgrade.
It’s the latest iteration of an ongoing tug-of-war between banks and aggregators, the third-parties like Envestnet/Yodlee and Plaid that connect bank accounts with fintech apps like Venmo, Robinhood and thousands more. In June 2018 Capital One implemented a similar security upgrade that blocked customers of Plaid. (When consumers download a financial app and set it up, Plaid and other aggregators operating in the background make the connection to the users’ bank accounts.)
“No bank ‘owns’ a customer. I ‘own’ my bank. If they make my life a hassle, I move.”
In the PNC case the struggle erupted onto a bigger stage. Three weeks after the Gazette story, the Wall Street Journal ran an article headlined, “Venmo Glitch Opens Window on War Between Banks, Fintech Firms.” That opened a floodgate of posts, articles, blogs and tweets, many picking up on the theme of a “battle” or “war” between traditional financial institutions and fintechs.
Cornerstone Advisors’ Ron Shevlin in a blog, surfaced an additional angle: That the big Pittsburgh regional bank was blocking customers from using the popular Venmo person-to-person app and steering them to use Zelle, the competing P2P product offered by a bank-owned consortium. And indeed, some PNC help-desk tweets suggested that consumers make that switch, as did a call-center representative, according to one PNC customer’s comment on Reddit.
One of the bank’s own tweets said, “If you are having this difficulty, you may want to explore another alternative means of money movement, such as Zelle, or work directly with Venmo on other options.”
There were other communications along that line, and Venmo, according to Finextra and at least one other source, responded by suggesting its customers tweet out this message: “Hey @pncbank, why aren’t you living up to your promise that ‘security should empower consumer access’ to their accounts? Let me use the financial service apps I need!”
PayPal declined to confirm to The Financial Brand whether it or Venmo had sent such a message to customers or whether it considered it was “at war” with PNC.
Bank Responds to Reports that It Was Blocking Access
Karen Larrimer, Head of Retail Banking and Chief Customer Officer, downplayed the “war” terminology, saying in an interview with The Financial Brand “We have a good relationship with PayPal, who owns Venmo.”
“When you read that we’re blocking, that’s not really true. We added a security step — but our customers are able to connect with Venmo.”
What’s happening, she explains, is that PNC customers who have been using the app find that all of a sudden something’s changed and the app stops them. “So they call us.”
The bank’s contact center people explain how the customer can continue to use Venmo linked to their PNC checking account by manually entering their bank credentials directly with Venmo (the necessary link is provided). This step bypasses an aggregator — Plaid, in this instance. However, doing this is time-consuming and involves sending a one-time micropayment through the system as a test before the app goes live. The usual process, using Plaid, is much quicker and easier, taking less than a minute, per the Plaid website.
So what PNC has done is block “automatic” aggregator access to Venmo (and other fintech applications), not all access.
Although some consumers appreciate the extra security, not surprisingly others squawk at the disruption.
PNC’s position, according to Larrimer, is that many consumers don’t fully understand what happens to their data when they sign up for an app and an aggregator is involved as opposed to a secure API (application programming interface) connection between the institution and the aggregator. PNC has one such API arrangement in place and several others pending, the exec states, but not yet with Plaid.
So, Was This In Fact a Play for P2P Dominance?
As noted earlier, various reports, and several PNC customers, suggested that the real motive for PNC’s changing the security protocols that impacted Venmo was to promote the competing P2P app Zelle, which is backed by major U.S. banks.
The Financial Brand asked Larrimer about the PNC tweets and calls that suggest customers could consider Zelle. “That is not an instruction we have given to our employees to say,” she responds. “There’s not a big incentive for us to do that. We don’t charge a fee for using Zelle, so there’s no revenue associated with it.” She says the Zelle suggestions from some customer service reps were a response to the fact that reconnecting a customer to Venmo takes time, which not everyone wants to do. “It would be a very natural thing in such cases for our rep to say ‘You’re already connected to Zelle and you can use that to transfer your money from your banking account’.” PNC customers are not automatically enrolled in Zelle, she adds, but it’s very fast, there’s no “in-depth sign-up.”
The PNC security changes also impacted other apps besides Venmo.
“We want customers to be able to use whatever fintech app they want to use,” says Larrimer. “And we want to enable that. So that’s not what this is about. What we are really looking to do at PNC is protect the security of our customer accounts and nothing more.”
- 3 Steps Banks & Credit Unions Should Take as Data Privacy Gets Hotter
- More Consumers Will Leave Banks If Digital Offerings Don’t Improve
- ‘Open Banking’ Scares Consumers, But They Want What APIs Can Deliver
Aggregators at the Center of the Dispute
“We provide secure connections between apps and thousands of banks,” John Pitts, Policy and Advocacy Chief, told the Pittsburgh Post-Gazette. He added, however, “In our seven years, rarely have banks made technical changes without prioritizing the restoration of seamless access to apps. We want PNC customers to have the freedom to use any app they choose, and stand ready to work with PNC to restore access.”
Larrimer doesn’t regard aggregators or fintechs as the “bad guys,” but says “they are leaving loopholes that the bad guys can use to get in.”
“A number of months ago,” she states, “we saw a higher degree of ACH fraud occurring on customers’ accounts and we were able to trace that back to how some particular aggregators were circumventing security controls.”
Many consumers don’t realize that once they give access to one banking account, typically checking, the aggregator “can scrape every piece of information that is in your banking relationships — any other accounts you have, any loans you have, any transaction data, whatever is there they have full access to,” Larrimer states. Depending on the aggregator, consumers would not know this nor would they know where that data is being stored, or for how long or what it is being used for, the exec adds.
Larrimer believes PNC has an obligation to help people be more aware of the risks. The manual inputting of bank credentials that the new security guidelines require is not the best solution, however, she agrees.
The Solution Everybody Seems To Agree On
PNC and Plaid are both sustaining members of the Financial Data Exchange, a nonprofit dedicated to unifying the financial industry around a common standard for secure and convenient access by consumers and businesses to their financial data.
In addition, The Clearing House, released a model agreement to help financial institutions and fintechs establish common ground for sharing bank-held customer data. TCH is a founding member of the Financial Data Exchange.
Both Plaid and Envestnet/Yodlee have established API data sharing agreements with individual institutions, including Chase, Citibank and Capital One. As Larrimer indicates, PNC has one such agreement in place and several others close to signing.
“Data does belong to the customer. What we’re really seeking is their awareness and consent for anything that would involve interfacing with their bank account information.”
— Karen Larrimer, PNC Financial
The solution to these high-profile confrontations over data sharing “is to sign data exchange agreements with all of these aggregators,” Larrimer observes.
“Once we have these agreements in place we do want to have more transparent consumer consent with each of these aggregators,” she continues, “such that when a customer is signing up, that the proper disclosure of exactly where their information is going and what’s happening to it is disclosed to the customer. PNC will work hard to do that with each of these arrangements, which may make us a little different than some of the other financial institutions. Data does belong to the customer. What we’re really seeking is their awareness and consent for anything that would involve interfacing with their bank account information.”
Ultimately, Larrimer says PNC wants to get to tokenization. This means substituting sensitive data with a non-sensitive element, or token. ” If you want to talk about a really secure connection and you want to send data between two entities you tokenize it. We feel very strongly about that.”
Larrimer supports open banking, but hopes that when it comes to the U.S., it uses tokenized account numbers.
Better Communication Needed As Well
In a LinkedIn comment relating to Ron Shevlin’s Forbes blog about PNC’s situation with Venmo and Plaid, Nicole DeSantis, former deputy counsel at Rabobank, states that the episode “underscores the importance of understanding the effect of multiple players in the chain of the consumer’s experience. It is crucial for bankers…to understand these operational complexities!”
Larrimer notes that PNC did put detailed information about data sharing, including troubleshooting kits on their website, and provided messaging to its care center staff. But she notes that internally the institution is talking about how it can better tell its story on this issue to various constituencies.
It’s critical that individual institutions and the banking industry overall, move quickly to address data sharing complexities and conflicts. As Shevlin observes in his blog, PNC probably won’t see much account attrition, but many customers “will simply open additional checking accounts with the Chimes and Money Lions of the world — while leaving their PNC accounts open.”
Putting an exclamation point on that, a reader commenting on the Wall Street Journal article on the issue stated “No bank ‘owns’ a customer. If they think that then they are in for a world of hurt. I ‘own’ my bank and willingly deposit some money in there for my convenience. If they make my life a hassle, I move to a different bank.”