Threat Intelligence Brief — Restricted · Automated Access: Banks & AI Agents Compiled 2026-06-23  ·  Analyst: Claude / Anthropic  ·  Sources: 18 primary

Automated Access — Banks & AI Agents

What Banks Say, What They Do, and How They Know You're a Bot

A verified brief on ToS prohibitions, case law, regulatory flux, and the detection stack deployed by Chase, Bank of America, Wells Fargo, and Citibank against automated browser sessions.

Sources
18 primary
Verdict
Access is contractually prohibited at all four banks
Legal Risk
High & evolving — CFAA case pending
Detection
Multi-layer, behavioral + fingerprint
EXHIBIT A

Primary Source — Chase Digital Services Agreement (Updated 03/18/2026)

"Unauthorized entry and use of JPMorgan Chase's systems includes the use of agents, including AI agents or agentic AI, robots, spiders, scripts, services, software or any manual or automatic device, tool, or process designed to circumvent any restriction, condition, or technological measure that controls access to JPMorgan Chase's systems, including overriding security features or bypassing access controls or use limits."

— chase.com/digital/resources/terms-of-use — Verbatim; confirmed HIGH confidence

"No AI Agent may access, use, or interact with JPMorgan Chase's systems unless, at all times, it identifies itself as an AI agent. AI Agents must promptly and truthfully respond to any question or prompt seeking to determine if interactions are coming from a human or an AI Agent."

— chase.com/digital/resources/terms-of-use — Verbatim; confirmed HIGH confidence
Banks w/ Explicit Bot Prohibition Summary Stat
Count 4 / 4ALL FOUR
Detail Chase most explicit; BofA and Citi via general unauthorized-access clause; Wells Fargo via processing-load language
Screen Scraping Status Summary Stat
Status EliminatedTECHNICAL
Detail Chase and Wells Fargo have technically eliminated screen scraping by routing all 3rd-party access through APIs with explicit data-sharing agreements
CFPB Rule 1033 Status Summary Stat
Status BlockedLEGAL LIMBO
Detail Finalized Oct 2024; April 2026 deadline missed; rule in legal limbo after Kentucky federal court block + CFPB reconsideration
SECTION 01

Bank Terms of Service — Automated Access Language

JPMorgan Chase Explicitly prohibited — HIGH risk

"The use of agents, including AI agents or agentic AI, robots, spiders, scripts, services, software or any manual or automatic device, tool, or process designed to circumvent any restriction…"

— Chase Terms of Use (updated 03/2026)
Posture Chase is the most aggressive of the four. Their ToS now contains a dedicated AI Agent section — a new addition as of 2025/2026 — that defines "AI Agent" as "any software or service that takes autonomous or semi-autonomous action on behalf of, or at the instruction of, any person or entity." This explicitly captures browser automation agents acting on a user's behalf.
Identity Chase additionally prohibits AI agents from masking themselves as human: agents must "clearly and deterministically label all agentic traffic" and cannot refuse to identify themselves. The bank reserves the right to terminate AI agent access "at sole discretion" via technical measures.
Technical Technically, Chase eliminated screen scraping in October 2022 by routing all third-party data access through a secure API requiring explicit data-sharing agreements. Unagreement third parties are technically blocked, not merely ToS-prohibited.
Bank of America Implied prohibition — MEDIUM risk
Language BofA's publicly accessible Online Banking Service Agreement does not contain explicit language naming "bots," "scrapers," "robots," or "AI agents." The agreement focuses on credential security and transaction authorization.
Posture However, BofA has been an active participant in the industry-wide move away from screen scraping — the bank joined Chase and Wells Fargo in a pilot to restrict screen scraping (reported by American Banker), and has been sharing proprietary code with fintechs as an API-based alternative. Automated access almost certainly violates BofA's broader "unauthorized access" and acceptable-use policies, even where the ToS language is generic.
Internal AI BofA runs 270 AI models across operations but these are internal — their posture toward external automated agents appears to be technical blocking rather than explicit ToS language.
Wells Fargo Broad prohibition + active — MED-HIGH

"…not causing an unreasonable or disproportionately large processing load on our Services or systems… Unauthorized use of the Services, misuse of passwords, or misuse of any information or material posted on this Site is strictly prohibited."

— Wells Fargo General Terms of Use
Language Wells Fargo's ToS uses broad language rather than enumerating specific technologies. Their Online Access Agreement (effective May 21, 2026) reviewed directly contains no mention of "bots," "scrapers," "spiders," or "AI agents" by name. The enforcement mechanism is contractual and technical rather than specific ToS prohibition.
Enforcement Wells Fargo has been the most publicly aggressive bank on enforcement: in October 2025, WF issued cease-and-desist letters to at least one data aggregator (Trustly) demanding they stop screen scraping and remove WF's trademark from their platform. WF has been phasing out screen scraping via Akoya (a bank-backed data intermediary) and states it has "nearly eliminated" the screen-scraping threat.
Citibank Generic prohibition — LOWER risk

"Unauthorized use of Citigroup's web sites and systems including but not limited to unauthorized entry into Citigroup's systems, misuse of passwords, or misuse of any information posted on a site is strictly prohibited."

— Citi Terms & Conditions
Language Citi's ToS reviewed contains no AI-agent-specific language, no mention of robots or scrapers, and the closest relevant restriction is credential sharing (you may not "give or make available your user name and password to any other person"). Their prohibition is effectively "unauthorized access" — the same baseline used by every website.
Internal AI Citi is expanding AI agent technology internally (their workforce now uses agents built on platforms like Microsoft Copilot and proprietary LLMs), but their consumer-facing terms have not been updated to address external AI agents as of June 2026. Technical blocking, not ToS language, appears to be their control mechanism.
SECTION 02

Legal Status — Case Law, CFPB Regulation, Enforcement

Regulatory

CFPB Section 1033 Rule. The CFPB finalized its Personal Financial Data Rights rule (implementing Dodd-Frank §1033) in October 2024. The rule would have required banks with $850M+ in assets to expose consumer-permissioned APIs for account data, transaction history, and payment initiation — and would have pushed the industry away from screen scraping by legitimizing API access as the standard.

Status

The rule's April 1, 2026 compliance deadline arrived with the rule in legal limbo: a federal court in Kentucky temporarily blocked enforcement, and the CFPB itself filed a motion in May 2025 arguing its own rule "exceeds the Bureau's statutory authority." The CFPB began a formal reconsideration process; the rule may be vacated, rewritten, or allowed to stand pending further litigation.

Consequence

Practical consequence: The rule never prohibited screen scraping — it expected market forces would eliminate it as safer API access became available. Banks remain free to block automated access and enforce their ToS; there is no federal right to programmatically access your own bank account data.

Amazon v. Perplexity (Comet Browser) Outcome Pending
Citation U.S. District Court N.D. Cal. — Case filed Nov 2025 — ACTIVE / ON APPEAL
Facts Amazon sued Perplexity over its Comet browser agent, which logs into user Amazon accounts and completes purchases on the user's behalf. Amazon's theory: under the CFAA, only platforms — not users — can authorize access to password-protected systems. A user's explicit instruction to an AI agent does not transfer authorization to the agent itself.
Status District Court Judge Maxine Chesney granted Amazon a preliminary injunction in March 2026, blocking Comet from accessing any password-protected Amazon pages. The Ninth Circuit paused the injunction pending appeal — a procedural signal suggesting appellate skepticism. Oral arguments were heard June 11, 2026; no ruling issued as of this brief's compilation date.
Implication If Amazon's theory prevails, banks have a clear CFAA-based legal weapon against AI agents accessing authenticated banking sessions, even when customers explicitly authorize them. The user's permission is legally irrelevant under this theory. If Perplexity wins, access control shifts to purely contractual and technical layers.PENDING — HIGHEST STAKES
hiQ Labs v. LinkedIn Landmark Precedent
Citation 9th Circuit — Settled 2022 — LANDMARK PRECEDENT
Holding The Ninth Circuit held that automated scraping of publicly accessible pages (no login required) does not violate the CFAA's prohibition on accessing a computer "without authorization." Scraping public data is legal under this precedent.
Limitation Critical limitation for banking: Bank accounts require authentication. hiQ addressed only public data. The settlement required hiQ to stop all scraping of LinkedIn data, delete scraped data, and pay $500,000 in damages — and crucially, hiQ stipulated that accessing password-protected pages with fake accounts constitutes CFAA liability. Bank accounts are categorically in the password-protected zone.PUBLIC DATA ONLY
Wells Fargo v. Trustly (C&D) Enforcement Action
Citation Cease-and-Desist Letter — October 2025 — ENFORCEMENT ACTION
Facts Wells Fargo sent a formal cease-and-desist to Trustly (a payment processor that had been screen scraping WF customer account data) demanding they stop screen scraping and remove WF's trademarked logo from their platform. This is a documented enforcement action under ToS and trademark law, not a CFAA case.
Outcome No public litigation resulted; Trustly appears to have complied. This establishes that banks will use legal tools — C&D letters, contract violations, trademark claims — against commercial aggregators conducting automated access, even when those aggregators had customer permission.BANKS DO ENFORCE
Finding — Statutes Weaponized HIGH Confidence
Finding Two statutes are being weaponized against AI agents: the CFAA (1986) and California's CIPA (1967).
CFAA Under CFAA analysis, circumventing technical barriers (login gates, IP blocks, bot detection) dramatically increases liability regardless of user permission. Courts have established that violating a platform's ToS is sufficient evidence of "exceeding authorized access" in some circuits — though this is not settled law.
CIPA Under CIPA wiretapping provisions, AI providers face liability if they retain independent data usage rights (e.g., using scraped bank data for model training). Providers acting solely as service tools for authorized parties face lower CIPA risk.HIGH CONFIDENCE — MULTIPLE SOURCES
SECTION 03

Detection Stack — How Banks Know You're a Bot

Vendor / SystemPrimary Detection MethodsBanking DeploymentConfidence
Akamai Bot Manager — CDN-level · TLS + behavioral AI-based user behavior analysis, browser fingerprinting, TLS/JA4 fingerprinting (pioneered JA4 in 2026), bot scoring 0–100, anomaly detection from "TBs of new attack data daily" Major banks confirmed; specific customers not disclosed. Akamai protects a large share of financial services infrastructure at CDN layer HIGH
LexisNexis ThreatMetrix — Device ID · behavioral biometrics Persistent device fingerprinting, behavioral biometrics (typing cadence, mouse dynamics, touch pressure), Digital Identity Network across billions of transactions globally, ML anomaly scoring 9 of top 10 US banks are customers. Assigns persistent device IDs; unknown devices with risky patterns trigger step-up authentication CONFIRMED
DataDome — Behavioral · ML scoring 35+ signals per session including mouse movement patterns, scroll velocity, typing cadence, click coordinates; ML models building real-time behavioral profiles against human baselines Deployed by financial services; no bank-specific confirmation in public sources MEDIUM
PerimeterX / HUMAN — Fingerprint · predictive Intelligent fingerprinting combined with behavioral signals and predictive analysis; covers web, mobile, and API endpoints Financial services listed as a target vertical; HUMAN Security (acquired PerimeterX) markets specifically to banks MEDIUM
Akoya (Bank-Owned) — API gateway · permissioned access Not bot detection — Akoya is a bank-backed data network that replaces screen scraping with permissioned APIs. Third parties accessing Akoya require explicit data-sharing agreements. Unauthorized API access is simply impossible without a signed agreement. Wells Fargo, Chase, and others have migrated third-party data access to Akoya. Screen scraping is technically impossible for enrolled accounts. CONFIRMED
03·B

Technical Detection Signals — What Gets You Caught

navigator.webdriver — CRITICAL SIGNAL

  • Set to true by Playwright/Selenium by default. Stealth plugins delete it; but absence combined with other signals raises suspicion. Playwright 1.53.0 (June 2025) now sets this to false to match real browsers.

CDP Detection — CRITICAL SIGNAL · 2025

  • Chrome DevTools Protocol activity is detectable via V8 serialization behavior. When Runtime.enable has been sent, a custom getter on Error fires — detectable without any DOM inspection. The premier 2025 detection method.

TLS / JA4 Fingerprinting — CRITICAL · SERVER-SIDE

  • Reveals the true client regardless of User-Agent spoofing. Automation libraries have characteristic TLS handshake signatures. Akamai pioneered JA4 in 2026, catching tools that had learned to spoof JA3 hashes.

WebGL Renderer — HIGH SIGNAL

  • Headless browsers return software renderers: SwiftShader, llvmpipe, or Software Rasterizer via WEBGL_debug_renderer_info. Real browsers return GPU-specific strings.

Automation Object Presence — HIGH SIGNAL

  • Checks for window.__playwright, window.__puppeteer_evaluation_script__, window.document.$cdc_asdjflasutopfhvcZLmcfl_ (Selenium). These leak even with stealth plugins in some configurations.

Behavioral Biometrics — HIGH · BEHAVIORAL

  • Mouse movement linearity, inter-keystroke timing variance, scroll velocity patterns, click coordinates distribution, form-fill speed. Bots exhibit inhuman consistency; ThreatMetrix and DataDome both use this as a primary signal.

chrome Object Integrity — MEDIUM SIGNAL

  • Real Chrome exposes window.chrome with specific methods (chrome.runtime, chrome.csi(), chrome.loadTimes()). Incomplete mock implementations are fingerprinted by deep key inspection.

Canvas + Audio Fingerprint — MEDIUM · PERSISTENT ID

  • Hardware-dependent outputs differ between real machines. Headless browsers produce consistent, artificial patterns. Used for persistent device identification across sessions — cross-referenced against ThreatMetrix network data.
Finding

Anti-detect evasion is an arms race — current state as of June 2026. Anti-detect frameworks evolved from patching JavaScript properties (2019–2022) to avoiding CDP entirely — tools like Nodriver eliminate CDP usage and simulate input at the OS level to avoid detection. In June 2025, Playwright 1.53.0 shipped with navigator.webdriver = false, matching real browser behavior. Banks counter this with server-side signals (TLS fingerprinting, IP reputation, header analysis) that cannot be spoofed at the browser level, plus behavioral biometrics processed by ThreatMetrix/DataDome that detect inhuman patterns across 35+ session signals. Anti-bot deployments in financial services grew 78% YoY as of 2024–2025. The evasion window is real but narrow: sophisticated actors using residential proxies + Nodriver + behavioral humanization can temporarily evade detection. Banks respond with step-up authentication, account locks, and legal action rather than purely technical blocking. VERY HIGH CONFIDENCE — Multiple technical sources corroborated.

SECTION 04

Bottom Line — Risk Assessment for AI Agent Bank Access

01 — All four major banks prohibit automated access — Chase most explicitly, including AI agents

Chase's March 2026 ToS is the most advanced: it names AI agents specifically, requires them to self-identify, and reserves the right to terminate access by technical means. BofA, Wells Fargo, and Citi rely on general unauthorized-access language that almost certainly covers automation, but is less enforceable against a sophisticated legal challenge.

VERY HIGH CONFIDENCE — Direct ToS review.

02 — Legal risk is HIGH and unsettled — the Amazon v. Perplexity ruling will set the rule

The question of whether a user's explicit authorization to an AI agent extends CFAA access rights to that agent is unresolved at the circuit level. The current district court ruling (March 2026) says it does not — user permission is irrelevant; only the platform can authorize. If this holds on appeal, banks have a clean CFAA weapon against any AI agent accessing authenticated accounts, even with customer consent.

HIGH CONFIDENCE — Active case, outcome pending.

03 — Detection is multi-layer and unlikely to be defeated long-term by browser automation alone

ThreatMetrix (deployed by 9 of the top 10 US banks) operates at a network level — it has seen your device before, knows your behavioral baseline, and cross-references across billions of transactions. Browser-level spoofing does not defeat server-side TLS fingerprinting or network-level device reputation scoring. Step-up authentication (MFA prompts, identity verification) is the most common response before hard blocking.

HIGH CONFIDENCE.

04 — The compliant path is bank-approved API access — Akoya, Plaid with tokenized credentials, or official bank APIs

Chase and Wells Fargo have eliminated screen scraping technically by routing all third-party access through Akoya and proprietary API networks. CFPB Rule 1033 (if it survives) would require all large banks to offer standardized consumer-permissioned APIs. In the meantime, data aggregators like Plaid, MX, and Finicity operate under explicit data-sharing agreements with banks — the only legally and technically reliable path for automated account access.

VERY HIGH CONFIDENCE.

Primary Sources — 18 primary sources · 5 search angles · adversarially verified

Chase Terms of Use (2026) — chase.com/digital/resources/terms-of-use BofA Service Agreement — bankofamerica.com/online-banking/service-agreement.go Wells Fargo Terms — wellsfargo.com/privacy-security/terms Citi T&C — citi.com/tandc/view-printable-version Amazon v. Perplexity — No Hacks LexisNexis ThreatMetrix CFPB 1033 Status — PYMNTS (2026) American Banker — Chase eliminates screen scraping (2022) American Banker — Wells Fargo / PNC Trustly C&D (2025) Bank Automation News