In the financial world, there are two techniques to establish a connection to a bank. Either an application programming interface (API) or screen scraping can be used to gather information or complete transactions via a bank account.
In previous years, screen scraping was the only option, though it was found to have many downsides. More recently, with the advent of open banking, the use of APIs has been discussed as the superior choice.
How do third-party providers access bank data?
When a customer provides permission for a third party to access their data, there is one of two approaches used: open banking or screen scraping. Each will establish a connection to the bank to gather information or complete a transaction, but there are some key differences between the two.
What is screen scraping in banking?
Screen scraping in banking involves supplying bank login details to an application. The application can store and use these credentials repeatedly to gain access on the user’s behalf.
The name screen scraping is used because the financial data accessed by the application can be 'scraped', since it is as if the user themselves were logged into their bank.
How does screen scraping work?
From a customer perspective, it’s safer not to have access to certain financial data if it means opening a window to a considerable variety of vulnerabilities. It is true that providers try to mitigate these vulnerabilities as much as possible, but they are never fully gone.
Screen scraping works by allowing a third party to access a customer’s bank account using the customer login credentials. Those credentials are then stored by the third party, which means they can scrape the data from the bank account and use this information just like the customer would.
Here's a visual representation of how it works:
You can think of it like a third party being allowed to impersonate the customer. Everything that the customer can see in their bank account, or do via their bank account, can then be done by the third party.
The rise of screen scraping
Before screen scraping, banks were more closed off when it came to accessing customer data or making transactions. Over the years, the use of screen scraping changed. Though non-financial industries can use screen scraping, it was popularised within this realm because of the convenience, value and functionality that can be gained with online banking data. This practice became prominent because legitimate banking APIs haven’t historically been widely available until more recently.
As the financial industry grew and evolved, Open Banking came about. This has allowed a more secure form of connectivity, making screen scraping less important than it used to be. There are, however, countries in which screen scraping is still common.
Is screen scraping secure?
Screen scraping isn’t a secure method for accessing data. When a third party accesses the user’s bank account, they can view everything as the consumer would, and have the ability to interact with the financial data as if they were the consumer.
The European Commission prohibits the use of screen scraping, as does the Financial Conduct Authority in the UK. If a data breach were to occur, the bank login credentials must be changed. When compared to screen scraping, an API is considered much safer, because consumer consent can be revoked at will.
What are the risks of screen scraping in banking?
There are several risks involved in screen scraping, which are detailed below.
1. It’s unclear who accepts liability if something goes wrong
In screen scraping, the third party is acting as an extension of the customer, using login credentials and getting access to bank information. That makes it a challenge to determine who is doing what in the account, since the same login details are used whether it’s the customer themselves or the third party logging in. Sharing banking credentials is a security risk.
2. There is an increased chance of phishing attacks
Some organisations asking for bank login credentials are trustworthy, but others may be fraudsters posing as legitimate institutions. The use of screen scraping normalises sharing sensitive login details for banking. It’s difficult for an individual to tell the difference sometimes, meaning the risk of phishing is increased when it comes to screen scraping.
3. Credentials may not be securely stored
Third parties may have various ways of protecting data. When a consumer shares banking information, they cannot be certain this data won’t be sold or leaked. Even when a third party stores customer information in encrypted files, there are decryption keys that can become a target for hacking.
4. A loss of control
With screen scraping, the user doesn’t have the same degree of control they have if using a regulated open banking API. In open banking, the user knows which data they’re consenting to be accessed. Consent can be revoked at any time, which isn’t the case with screen scraping. That requires a change of credentials.
5. Possible violation of the bank’s terms and conditions
Certain banks may consider it a violation of their rules if a consumer gives consent for a third party to access their bank account. As screen scraping became more common, banks have adapted these rules, but some are still quite clear to state that the user is then responsible for any actions undertaken by the third party.
Is data accessed through screen scraping regulated?
No, data accessed through screen scraping is not regulated. Screen scraping doesn’t have fixed standards, so each third party utilising this method has its own approaches to security or levels of security involved in the process. Because screen scraping is not regulated, a user who signs up for a service using screen scraping cannot know if the application uses the highest degrees of protection when it comes to their information.
What is the difference between Open Banking and screen scraping?
Open banking and screen scraping are different from one another. Though both give ways to access financial data, the way in which this access is given and the level of security involved in each differ greatly. A common point of contrast between the two involves consent.
With open banking, an API is used to access the financial information. The consumer can revoke their permission for the application to access their data, and they do not need to provide their banking credentials to the third party. Consumers can determine which data they’re sharing when it comes to open banking, which isn’t possible with screen scraping.
In screen scraping, since the third party receives full banking credentials, they have access to all user accounts and data. The consumer also doesn’t know how this information is stored, or if it can be accessed by others.
Why Open Banking is preferable to screen scraping
Because of the risks of screen scraping discussed above, many are wary of using this method. When financial data is shared, security is paramount. Screen scraping cannot give the same degree of safety that open banking can.
Open banking APIs are a secure way to share customer financial data, obtaining consent from the customer to do so. In the EU, API providers including kevin. meet the requirements set out in The Revised Payment Services Directive, or PSD2.
Stay safe with kevin. Open Banking payments
No business should have to face customer concern due to a lack of security in their provided payment methods. With the safety of Open Banking, merchants can enjoy offering customers a high level of sacurity in making payments without having to sacrifice convenience.