Why Fintech Wants to Free Your Credit Card Data
Here at Abacus, there are a handful of questions we get asked almost every day. One of the most common is why credit card data isn’t flowing properly.
Normally, Abacus pulls your credit card activity straight into our software, which allows us to automate your expense reporting workflow using the same data you would see if you logged into your bank’s website. This system works over 99% of the time, but sometimes the connection breaks. Card data doesn’t flow into Abacus, transactions can’t pair up with receipts, and automation turns into manual entry. It’s a pain for customers who are used to a seamless experience, and worse, there doesn’t seem to be any rhyme or reason to when it happens.
The most likely explanation is that Abacus has encountered an issue with the third-party data aggregators from whom we get your card data. Because your financial institution hasn’t created a way for outside software to plug directly into their system, Abacus is forced to use a workaround that, unfortunately, encounters occasional disruptions.
Every company that makes consumer financial technology is familiar with this frustration. In the US, even the most sleek financial software is built atop old, inflexible infrastructure. But with credit card data, there’s a twist. Unlike the ACH network, which is simply too large and official to make drastic changes, the financial institutions that hold your data have it in their power to solve this problem for good. Instead, they’re making a business decision to hold it hostage.
Abacus customers experience this stalemate between banks and apps as an infrequent annoyance, but it’s actually a pivotal issue that collides two macro-scale movements in technology: the rise of consumerized financial applications and a new awareness of data ownership.
In this article we’ll take you inside the campaign for open credit card data. You’ll see where your information is being locked up, how we use technology to work around it, and why companies like us are eager for you to get involved.
How credit card data works
Credit card data lives in a complex ecosystem. What feels like a simple swipe at the counter is actually an exchange between multiple entities. The average credit card transaction in 2016 was $88, which generated $2.50 in fees that was split among 3 or 4 different parties. Financial data, in other words, is highly portable within the credit card industry’s infrastructure.
Getting that data out is the tricky part. When you or your employer decide to use apps that require your credit card feed, like Abacus, our software sometimes has no direct way to plug into your bank and retrieve your data. In those cases we get it from a third-party aggregator, which is a separate company whose software logs in to your bank, takes a snapshot of your card activity, and passes that data securely to us.
This exchange is very safe. Using third-party aggregators is an industry standard, used by all your favorite financial technology. But the normalcy of this system is actually the entire problem. We would love for your credit card data to be available in a more stable way. Much of the time, it is not.
Exporting vs. extracting card data
To explain this system, let’s start at the beginning.
Credit card data can be exported or pulled from banks in a few different ways. The highest-quality exchange is a direct connection. This is possible when a financial institution engineers an API for the purpose of transmitting card data to software that has been authorized by the customer to receive it. With a direct connection, card data flows straight from the source and rarely encounters technical issues.
Direct connections are standard among commercial-tier card programs, which are designed to be centrally managed by enterprise-level finance teams. Card-issuing financial institutions know that enterprise customers demand the flexibility to choose the software with which they manage their corporate card programs, so they support direct APIs.
But banks seem to have a different impression about the preferences of non-enterprise customers. In all but a few cases, business-tier and consumer-tier card programs do not offer APIs. That means those customers have no organic way to export their data to the software they choose.
Third-party companies that specialize in data aggregation fill this need with a workaround called “screen scraping.” This practice uses software to access your financial institution’s website and extract the data found on your transaction history, using login credentials you’ve provided to them. As long as the screen scraping software is able to read the information on the page, the aggregator will export the card data to whatever software you want. Think of screen scraping as a computer literally imitating you in order to log into your bank account and take a picture of what it finds.
Unfortunately, any number of factors can cause this workflow to fail. If the bank changes its web interface, the software needs to be updated to decipher the new format. If your financial institution periodically requires two-factor authorization, the software won’t be able to log in on your behalf. Even if there’s a pop-up ad being pushed to your account, the software can’t simply click out of the box the way you could.
These are just a few of the myriad scenarios that cause your card feed to suddenly not work. The connection can be restored fairly easily once a disruption is detected, but the system is inherently temperamental.
Fixing this undesirable situation sustainably isn’t a matter of better software, but of triggering a revolution in the banking industry. Many are pushing for that to happen—Abacus included.
The fight for open banking
The thing is, no one actually likes the status quo. Financial institutions hate screen scraping. They even go so far as to warn customers against it. Industry trade groups have proposed format after format to replace the practice. None have succeeded. Open Financial Exchange (OFX), probably the most widely used of these data formats, is still a long way from universal.
Technology and consumer advocates, meanwhile, admonish the banks for forcing customers to use a brittle workaround in order to access their own data. Fintech companies have formed our own industry groups and lobbied for open banking standards. (Click here to see a petition on which Abacus is a signatory.) In 2016, then-Director of the Consumer Financial Protection Bureau Richard Cordray said in a speech that he was “gravely concerned by reports that some financial institutions are looking for ways to limit, or even shut off, access to financial data.” Other regulatory attention has been paid to this issue as well, even though it hasn’t been enough to force change.
It’s not entirely clear why this standoff between banks and financial technology has been so difficult to settle. One possibility is that card-issuing banks feel they’re already fighting for their lives against an army of small fintech companies that are rapidly unbundling the services big banks rely on selling together. Opening up consumer data and empowering the apps, the theory goes, would invite even faster disruption of that core business model.
A less conspiratorial possibility is that banks simply don’t believe the cost of building direct APIs for non-enterprise credit card programs would be worth the new business those projects would generate. This assumption presumes that business- and consumer-tier customers choose their credit cards based on rewards programs and other considerations, not data portability. Ironically, because third-party aggregators do a serviceable job of getting that card data, there’s no rush for banks to provide it the right way.
PSD2, GDPR, and finally owning your data
For fifteen years, the push for bank APIs has remained a stalemate. Here in 2018, however, something is changing. Consumers are starting to demand ownership over their data.
In Europe, a raft of legislation is ensuring they have it. GDPR, the EU’s massive new privacy law, codifies the duty of companies to store data exclusively at the behest of their customers. The recently enacted PSD2 requires banks to allow third-party access to consumer data. The UK is going even further in that direction, mandating with their Open Banking initiative that financial data be made available in a standard format. Australia recently wrapped up their own study of open banking, concluding that “data holders should be obliged to share all information that has been provided to them by the customer.” More is on the horizon.
The signals are clear: in modern economies, consumers are starting to demand control of their financial data. Once the market begins monetizing its preference for data portability, American financial institutions will surely follow the example of Europe and offer the same level of flexibility that commercial card programs have had for years.
Progress does seem to be inching forward in places. Some US banks, for example, have launched business-tier card APIs. Inside the industry, the issue gets plenty of attention. Still, there hasn’t been anything like a watershed moment. Third-party data aggregation remains the best solution.
Ultimately, consumers hold the key to manifesting change. The more finance teams adopt specialized software in their workflows, the more they’ll demand access to their own data. This esoteric debate will move out into the open, and hopefully, data portability will become table stakes among non-enterprise corporate cards.