show me the money

This bot took $250 million from people’s bank accounts—for their own good

Elena Scotti/FUSION

It’s the mantra of many a financial advisor: “It’s not what you spend that matters. It’s what you save.” But the mantra of many respondents is “easier said than done.”

In hopes of making saving easier, San Francisco-based start-up Digit created a chatbot that helps you put money aside by analyzing your spending history and daily activity. It then figures out where to siphon off small sums of cash on a regular basis. To see how well the bot’s algorithms work, I decided to try it out.

hello2

It took me less than a minute to sign up on Digit’s website, where I handed over my email address and mobile phone number. After verifying the email and providing my bank login credentials, the bot kicked in. Within a few days, it started to withdraw small amounts of money (between $0 and $150). The bot isn’t supposed to transfer more than you can afford but if it does cause an overdraft, Digit refunds the fee. The funds are then held by Digit in what they call your “Digit account.” To withdraw funds you text the bot and the funds are transferred back to your checking account the next business day.

Every few days I got chirpy text messages, peppered with animated gifs, telling me how much money the bot had saved for me. Before long, I stopped logging into my bank account to check my balance. Within a few weeks I’d saved about $300. And I’m far from alone. Since it launched a year ago, Digit says it has saved its customers $250 million.

withdrawal2

As the bot continued to sweep $10 and $20 dollars out of my account, it occurred to me that the process might have been too easy. Questions started circling in my mind. What exactly is this chatbot doing with with my money? And how safe is my bank account information? The chirpy text messages and animated gifs that typically peppered our conversation momentarily started to seem a little less reassuring.

rainlikeaboss

Happily, this bot is legit, but there are some things you should know before you sign up.

First, it’s not a traditional savings account because Digit is not a bank. When you sign up, you won’t need to go through the usual steps you would to open a bank account, like verifying your identity by providing your date of birth, driver’s license, social security number or other identification. Digit relies on your bank to vet your identity, and it partners with other banks to hold its customers’ funds in pooled accounts on its customers’ behalf.

Currently, Digit covers its costs from the interest on the funds it holds in these accounts. (To date, the service is free, although the company says it may consider charging users in the future.) What this means for customers is that your Digit account doesn’t earn interest the way a traditional savings account would. It does offer a small “savings bonus” for those who maintain funds in the account for three months or longer. Although, according to the company, most customers don’t let funds sit in the account that long.

Next, to use Digit you’ll need to trust it with your banking login credentials and bank account number. If you read the terms of service, you’ll also notice that you’ve actually provided a limited power of attorney to the service to access your online banking account data and make ACH transfers to and from your account. Yep. You basically authorize Digit (or more accurately, its third-party agents) to hack your bank account on your behalf. And, if that seems unnecessarily sweeping and potentially a tad insecure, you are right to raise an eyebrow.

screen-shot-2016-10-14-at-9-33-15-am

Digit’s service is layered on top of the existing banking infrastructure, which wasn’t built to handle customers handing out their banking logins or account numbers. It’s a problem shared by nearly all software startups in the space, like Mint, Expensify, and Robinhood, which all require access to customer banking data in order to work.

Social media platforms allow customers to connect apps to their account data without giving up login credentials or other sensitive information by using token-based authentication (OAuth). But the banking industry has yet to catch up, explains Digit CEO Ethan Bloch.

According to him, some banks are beginning to address the issue. In the meantime, Digit and other fintech start-ups rely on still other fintech companies, such as Yodlee and Plaid, to enable them to connect with users’ bank accounts. And unfortunately, these companies need your login credentials to access your bank account data for you. (This thread on Hacker News from earlier in the year highlights the issue in more detail.)

Finally, Digit, again because it is not a bank, does not need to comply with Customer Information Program regulations that require banks to form a reasonable belief of a customer’s true identify before opening an account. In fact, I was able to open a Digit account using a pseudonym and a Google number that didn’t match the name on my bank account. (We reached out to my bank, Citibank, for comment on how this is possible and what the security implications may be if any, but did not get a response by the time of publication.)

It’s a gray area that is increasingly catching the eye of regulators, says John Wagner, who advises clients on matters related to banking regulations and compliance for Deloitte Advisory. According to Wagner, a number of the fintech firms do have robust compliance infrastructures while others have gotten “ahead of regulations.”

“It’s a challenge we’re seeing in the market,” he says. “You are making a judgment with any of these firms that they have sufficient security that you are comfortable giving them your account information. That decision is based on your assessment.”

So what if something goes wrong? What is to stop a hacker from accessing my account via security loopholes in SMS or outdated ACH technology?

For its part, Digit says it takes a number of precautions to secure its customers’ data. “Digit has systems in place to detect suspicious or unusual activity that are reviewed and monitored daily by our team,” says a Digit spokesperson.

According to the company, Digit does not store your bank login credentials on its own servers. They are stored with Yodlee and Plaid, two companies that specialize in connecting apps like Digit to customer banking data. In terms of the personal information it does store, the company says it adheres to standard practices of encryption and limits employee access. Users’ checking account numbers are stored by the company on a separate server that is not linked or accessible to other parts of its service. There is a cap on the amount of money that can be moved into Digit per week, currently $2,000.

Finally, although you can open a Digit account using a different name and contact information from that of your bank account, the money that gets saved into Digit can only be moved back to the originating bank account. It’s a closed loop. For example, even though I was able to sweep funds from my account into a Digit account using a pseudonym, according to the company, I wouldn’t have been able to transfer the funds out of the service to an account other than my own. Attempting to do so would trigger some or all of the identity verification steps required of traditional banks to open an account.

And, of course, if you did notice suspicious transactions, you could try to appeal them with your own bank. “At the end of day the consumer is protected by Regulation E and could make a complaint for any unauthorized transactions,” says Gary Stein, Deposits Markets Program Manager, of the Consumer Financial Protection Bureau. (Their site offers this handy guide on what to do if you discover an automatic deduction transaction that you did not authorize.) However, some banks may not cover the losses. Chase, for example, warns customers that they may be responsible for losses resulting from sharing their login credentials in violation of its terms of use.

For customers who can get comfortable with the risk, artificial intelligence does have much to offer the would-be saver. In the short time I used Digit, I saved 20% more than I would have otherwise by transferring funds into my savings account once a week. That doesn’t seem game-changing until you consider how many Americans make a living doing shift work, freelance gigs, or seasonal jobs. For those of us with irregular incomes, trying to save is often a game of playing chicken with the bank to avoid overdraft fees.

And sure, Digit doesn’t allow you to grow your money the way you might in a traditional interest-bearing account. But interest rates have been lousy for just about as long as anyone can remember and most people under 35 are perpetually racking up debt. Maximizing earnings may be less important to many than simply putting money aside.