OpenAI’s ChatGPT Enables Direct Connection to 12,000 Financial Institutions, Raising Privacy Concerns
What Happened — OpenAI released a ChatGPT Pro feature that lets users link bank, credit‑card, brokerage, and other financial accounts via Plaid (and soon Intuit) for real‑time personal‑finance advice. The rollout targets paid subscribers first, with plans to expand to all users.
Why It Matters for TPRM —
- The integration creates a new data‑flow path between a consumer‑grade AI platform and sensitive financial systems.
- Third‑party risk managers must assess whether the AI vendor’s security, data‑retention, and access‑control practices meet their organization’s standards.
- Potential misuse or breach could expose transaction histories, balances, and personal identifiers across millions of users.
Who Is Affected — Financial services (banks, credit‑card issuers, broker‑deals), fintech API providers (Plaid, Intuit), and any enterprise that relies on these institutions for payroll, expense‑management, or treasury functions.
Recommended Actions —
- Review OpenAI’s data‑handling and de‑identification policies; request evidence of encryption at rest/in‑transit and audit logs.
- Verify that Plaid’s and Intuit’s SOC‑2/ISO‑27001 attestations cover the new ChatGPT integration.
- Update vendor risk questionnaires to include AI‑driven financial advice use cases and “temporary chat” controls.
Technical Notes — The feature leverages GPT‑5.5 to process multi‑step financial queries. Account linking is mediated through Plaid’s API, which aggregates data from >12,000 institutions (e.g., Bank of America, American Express, Robinhood, Charles Schwab). OpenAI promises user‑controlled disconnects and “financial memory” erasure, but the underlying data pipeline and model training retention remain opaque. Source: The Record