What Comes Between Your Favorite Financial App and Your Bank Account?

PNC knows our customers appreciate the convenience of financial apps that help them to make payments and manage their finances and investments. PNC also is committed to helping to protect our customers’ data and assets. That’s why we’re taking steps to ensure our customers who link their PNC account to financial apps understand why and how their data, including sensitive information that could facilitate fraud, might be stored and potentially accessed by third parties.

Financial technology firms, apps, data aggregators – and your personal data

Financial apps created and owned by financial technology firms, or fintechs, function by linking their apps to the financial institutions where customers have accounts. Customers using financial apps typically have to provide the fintech firm with their secure online banking log-in credentials (username and password). For financial apps to perform as intended, fintechs must be connected digitally to the banks and financial institutions where app customers have accounts.

Making digital connections with the myriad of banks and financial institutions used by customers is a large and costly prospect, and fintechs manage this process by contracting with data aggregators – behind the scenes technology companies that serve as a link between customers’ financial apps and their bank accounts.

What many financial app users do not realize, as outlined in a recent research study conducted by The Clearing House, is once they provide their secure online banking log-in credentials to a financial app, data aggregators use this information to log into customer bank accounts.

Once in the accounts, data aggregators download or "scrape" account information such as balances, account numbers, transactions and account statements, which are then shared with the fintech that owns the mobile app.

The information "scraped" and maintained by the aggregator, however, may go beyond what is necessary for the particular financial app to fulfill the service requested by the customer, and the data may be maintained by the aggregator even after the customer ceases using the financial app.

The fact that the sensitive information outlined above is maintained by an outside party is concerning. Of particular concern to us is the storage of account numbers by a third party, because fraudsters, if armed with this information, would have the access they need to move money from our customer accounts.

 

PNC supports secure financial app use – and is committed to helping protect customers

  • PNC has implemented enhanced security controls specifically designed to help protect customers’ financial accounts and related information when using financial apps that conduct screen scraping.
  • When you connect your PNC account to a financial app, PNC will prompt you to enter a one-time passcode to proceed and we will send you an alert to confirm that you have initiated the request.
  • We've also taken steps to protect highly sensitive information that could facilitate fraud or account takeover.
  • We are collaborating with The Clearing House and Financial Data Exchange, as well as data aggregators and fintechs, to enable an easy and more secure way to provide access to this data with clear and transparent customer consent.

 

Banking customers who use mobile apps should ask the provider the following questions:

  • What third-party data aggregator does this financial app use to connect to my bank account?
  • What type of data does the aggregator collect when connecting with my bank account?
  • Does the data aggregator use encryption when retrieving my data?
  • How long will my data be retained by the data aggregator once my use of the financial app has been terminated?
  • How do I request that the data aggregator stop collecting my financial data?
  • What is the data aggregator’s process of purging my data?
  • Does the data aggregator share my online banking credentials or other personal and financial information with others, including other service providers?
  • What type of liability does the financial app or data aggregator bear in the event of any loss due to a data breach, other unauthorized access or fraud?

 

Banking customers can use the following tips to help keep their data secure

Use Multi-Factor Authentication:
This is a security option that allows you to receive a text message with a one-time passcode every time you sign on to your online or mobile banking account. It is an additional step to entering your PNC Online and/or Mobile Banking User ID and Password. Access to your account is only approved once you input the one-time use passcode.

PNC User ID and Password:
If you don’t recall what financial apps you’ve linked to your PNC account, change your PNC Online and/or Mobile Banking User ID and/or Password. Then, reconnect with financial apps that you actively use with the new user ID and/or password. Never use the same password and user ID to conduct your PNC banking as you do for any other site. Re-using the same log-in credentials on different websites, such as social media sites or email, puts your credentials at risk, as well as any other account using those same credentials.

Read the Fine Print:
A financial app’s terms of service agreement often contains important details about the responsibility of the data aggregator and how sensitive information that you provide will be used.
 

Monitor Your Accounts:
Regularly check your accounts for any unauthorized transactions, including any debits from your account that you did not make or recognize.
 

Set Up Alerts:
Opt in to receive account and security alerts via text or email on all your bank, investment and credit card accounts. Stay on top of your account balances, and pay attention to notifications of activity on your account.

Need Help?

Need help linking your PNC accounts to an Online or Mobile Financial Service?

Learn more about linking your PNC account(s) to an online or mobile financial service »