By design, any practice that requires a customer to simply hand over his or her online bank credentials to a third party is a terrible idea. But a growing number of fintech firms are rallying together to try to preserve that very practice.
To be sure, screen scraping — which allows data aggregators to pretend to be an online banking customer in order to gain account entry — has been necessary with banks widely refusing direct access for third-party providers through application programming interfaces. But fintechs’ arguments in defense of screen scraping don’t hold water as regulators in the U.S. and abroad weigh policy decisions to expand API usage and give customers more choice and control of their data.
The practice of scraping pages is both inefficient and insecure. There is no uniform way to carry out a screen scrape since every bank website is different. Furthermore, screen scraping opens up risk to the customer who exposes a secret bank password to use another third-party service. While there are no known hacks related to screen scraping, the risks for fraud are mounting. Over the last few years, the rates of identity and account fraud as well as cybercrime have soared around the world. Some bank customer agreements even say it is illegal to share login credentials with third-party services. In such instances, it becomes hazy around what company is responsible if and when the customer’s account becomes compromised through screen scraping.
In Europe, there has been a debate breaking out over whether screen scraping should endure with the arrival of a new data-sharing regulation for payment service providers.
The Revised Payment Services Directive, known as PSD2, will take effect in January. The European Banking Authority, a regulatory agency of the European Union, recommended banning screen scraping under PSD2’s regulatory technical standards in an attempt to strengthen security protocol and assign clear responsibility roles. The European Commission, meanwhile, has said the practice should be a backup method. Currently, screen scraping is set to die within two years in Europe if the EBA’s recommendation becomes formalized. The authority is thought to be planning to finalize the technical standards in November.
The opposition to the screen scraping ban by a number of fintechs within the E.U. is alarming. It is ludicrous to ask the EBA, which fintech companies have done, to change its stance on screen scraping. The EBA’s reasoning for a ban is completely understandable. The only way to avoid the risks associated with third-party access is by creating standardized, pre-agreed and secure API integration using the strong customer authentication methods required under PSD2. Therefore, fintechs in the E.U. should be leading the way for a global ban of screen scraping instead of advocating for its continuation.
There are a lot of fintechs that disagree with me, of course. I can even understand their arguments to some degree. For example, they worry that in the future, banks still might not provide reliable API access, or the system could go down. They therefore want the option of falling back on screen scraping — so the bank doesn’t have all the power. In other words, one argument for screen scraping is that a ban “forces fintechs to become technologically dependent on banks.”
Another similar argument is that a move toward APIs without retaining screen scraping as an option will hurt open banking efforts. With an API, a bank essentially decides what data to share, while screen scraping in theory allows access to everything. Some have concerns that banks will soon be able to pursue action against parties that try to obtain information or provide access to features not covered by the API. The concern is that this ban, in essence, closes the gates to competition instead of what was originally intended.
But I think this is a short-sighted way to look at a ban. Fundamentally, preserving screen scraping would defeat the very purpose of the second payments services directive. All along, PSD2 was drafted with the customer in mind, with the core purpose being to better protect consumers and make payments safer. PSD2 gives customers access to more choice and greater protection when it comes to beefed-up security practices. Those protesting a ban on screen scraping are not doing so with the best interests of the end customer fully in mind.
True, companies that want screen scraping to continue as part of PSD2 argue they can improve the practice by adding in a security layer that gives them third-party access to an account using third-party access. For example, the OAuth standard, recommended by a pending law in the European Union, would make screen scraping safer. But the infrastructure and the API needed to initiate and execute OAuth-based customer authentication is simply unnecessary duplication. If a bank has already made an API available for security reasons, everyone should access and supply data on the “same” channel. Keeping the legacy of screen scraping alive when APIs need to be built for secure authentication is twice as costly for banks. It also makes for bad user experiences as scraped data is prone to errors, while data shared via an API is 100% accurate.
Those opposed to the screen scraping bans often cry that there would have been no innovation, no better customer experiences, no progress, and perhaps ironically, no demand for regulation in the form of PSD2, without disruptive fintech companies. I acknowledge and am thankful for the very important role that fintech disruptors continue to play in creating better payments and financial experiences for consumers. But it’s now time for fintechs to stop thinking and acting like incumbents. Fintechs must embrace the new opportunities available to them, such as open API access.
True, reliance on screen scraping has allowed some businesses to gain a strong foothold in their target markets. Many businesses might be scared that they’ll struggle to see continued success should the practice be banned. But all a ban means is that when these fintech companies need to start complying with regulated open API access, they’ll already have the advantage of having exploited the business advantages of screen scraping, such as getting a head start on knowing what data has been most valuable to their business so far. Then, they can focus on that data and focus on ways to legally collect and exploit it.
So instead of protesting, fintechs across Europe should be rallying to focus on better standards to get API access up and running. PSD2 is, in fact, the very regulation seeking to shake up the banking world and give fintechs a more legitimate platform — this time governed by regulations working in the best interests of customer security.