JP Morgan Boosts Security by Tokenizing Partner Passwords

The largest bank in the US will limit security breaches by issuing tokens instead of passwords with its wide range of partners.

Need to Know

  • In order to increase security measures for its customers, JPMorgan Chase is prohibiting all third-party fintech apps from accessing customer passwords.
  • The restriction of password access has the largest US bank issuing secure and data-limited tokens to all third-party apps, a move the bank feels better protects customer data.
  • Aggregators Yodlee and Plaid have agreed to use tokens for all of its interactions with the bank, as well as their related apps. 
  • JPMorgan Chase is the largest US bank, reporting a 2018 revenue of $109 billion.


Three years after JPMorgan Chase CEO Jamie Dimon warned of the dangers of data sharing, the largest bank in the US has banned fintech apps from using customer passwords to access banking accounts and information. 

In his 2016 letter to shareholders, Dimon broke down the risks to both banks and its customers stating, “customers often do not know the liability this may create for them, if their passcode is misused, and, in many cases, they do not realize how their data are being used. For example, access to the data may continue for years after customers have stopped using third-party services.”

In an effort to get customers’ passwords ‘out of the system’ JP Morgan will opt for the tokenization of data. Third-party apps will receive tokens, a narrow range of data sent in a secure form, rather than the valuable and often sold personal information and passwords. 

Already on board is aggregator Yodlee, agreeing to use tokens for all of its bank interactions. The Financial Times reported that Plaid has also agreed to start using a token on behalf of the numerous budgeting and personal finance apps that currently use Plaid to connect to customers. 

Over the years fintech’s Voya, BlackRock and Fiserv all experienced data and security breaches comprising personal information of their customers. JPMorgan Chase head of digital, Bill Wallace, told The Financial Times that he did not think that their password eradication plans would result in apps not being to interact and engage with Chase customers insisting that the ban was not aimed at deterring customers from moving to new platforms. 

This new announcement is a major step towards further protecting consumers. By limiting the amount of information shared with outside partners, any possible data breaches will have much less severe consequences. As more fintechs pop up offering niche services, more and more partnerships will be formed. Some of the leading banks in North American partner with hundreds of fintechs every year, so limiting password exposure will be beneficial for numerous reasons.

JPMorgan Chase has not yet set a date for its ban on password-based access.