Inside the Chase plan to ‘ban’ screen scraping

Photographer: Daniel Acker/Bloomberg

JPMorgan Chase wants to continue to let customers use their favorite third-party apps, but the bank said it’s making moves to ensure these transactions take place in a secure way. 

The bank made headlines in various financial publications this month for its plan to stamp out a practice called screen scraping that allows third-party apps to access customers’ login and password information to connect to their accounts.

To ensure security of customer data, Paul LaRusso, managing director of digital platforms at Chase, told Bank Innovation that Chase is tokenizing its customers’ data in order to protect their financial information. Later this year, Envestnet Yodlee will connect customers to third-party apps that want to connect to customers bank accounts through Chase’s API instead of screen scraping, thereby not allowing them to copy or save customer login and password information. 

LaRusso explained that the plan to “ban” is part of the Chase’s effort to enhance customer control over  account information, according to the bank. With the new agreement, customers’ banking information will be seamlessly connected to more than 1,200 third-party apps through an API that tokenizes customer information.  Chase is currently working collaboratively with aggregators it has signed agreements with to migrate to its API. There are currently 3.8 million customers currently accessing their accounts through Chase’s API.

“Tokenization is a way for us to give access to a third party, instead of having to actually give out customer credentials,” he said.  

See also: How Chase is fighting screen scraping through API-based data access 

Envestnet Yodlee is reportedly the most recent data company to agree to use tokens for all of its interactions with Chase. The bank has already signed data agreements with a number of companies including Finicity and Intuit. Both Chase and Envestnet Yodlee are board members of the Financial Data Exchange, a nonprofit dedicated to unifying the financial industry around a common standard for secure and convenient consumer and business access to financial data.  

“None of the usernames or passwords ever leave the Chase [digital] environment, so that in and of itself reduces the [number of] instances where sensitive information can be deployed outside of the ecosystem,” Stuart DePina, chief executive of data and analytics at Envestnet Yodlee, told Bank Innovation. 

This is not the first time that Chase has entered into agreements to allow API-based data access. In 2018, it signed a similar agreement with Plaid and, prior to that, entered into agreements with Intuit and Finicity. LaRusso noted that several million Chase customers can securely share data with third-party apps as a result of these partnerships. The bank will continue to implement this strategy until no customers can connect to third-party apps through screen scraping. 

LaRusso argued that a common standard for secure access to data puts the customer in the driver’s seat when it comes to protecting their account information. 

“When two companies integrate to an API, [the standard] helps both of those companies understand what to expect from the API, which allows that connectivity to be delivered and deployed quicker,” LaRusso said. That common interoperable standard will deliver value to the customer around greater control and visibility. 

Bank Innovation Ignite, which will take place March 2-3 in Seattle, is a must-attend industry event for professionals overseeing financial technologies, product experiences and services. This is an exclusive, invitation-only event for executives eager to learn about the latest innovations. Request your invitation.