Consider this scenario: Using your ID and password, a third party logs into your online bank account as if they are you. The information retrieved is then funneled into, for example, a budgeting app.
While this practice can seem intrusive on paper, it’s one that has been going on for about 25 years. Screen scraping reads data on a webpage and then translates that data into another application to enable innovation. It’s how many fintechs built their business models early on.
While it encompasses a broader philosophy of personal data rights, open banking shares similar data dynamics to screen scraping. The movement of consumer data between banks, credit unions, and other financial institutions enables utility, making the data value exchange strong.
But while open banking’s enabling technology, APIs, offer a secure way to open up data and revoke access at any time, screen scraping can be a risky method of sharing data.
As the CFPB introduces new regulatory measures around open banking — the focus of a recent Axway webinar with the Federal Data Exchange (FDX) — screen scraping is being phased out even more in the embedded finance wave.
The driving force of consumer demand
When it comes to their finances, consumers crave the same convenience they do in other facets of their lives. They want to enable processes with less effort — filing taxes without carrying around receipts, applying for children’s college funding without keying in all your IRA information, and so on.
This consumer demand has been a catalyst for data sharing. The FDX found that roughly one in three digitally-enabled customers at the financial institutions they work with shared their credentials with third parties in the past year.
Banks are understandably protective of their customers’ data and can be apprehensive about opening it up via APIs. But as FDX Managing Director Don Cardinal points out, people are already doing it themselves.
What are the risks of screen scraping?
Screen scraping may have been the norm for data sharing in past years, but the dynamics and rules of data exchange are evolving.
In a 2020 IDG survey of IT executives, 33% of IT departments had already adopted a passwordless authentication solution. Meanwhile, 36% planned to go through with this adoption in the next 12 months.
This shift relates to concerns over compromised passwords that can (and often do) lead to costly data security breaches. In the words of Don Cardinal, “If you don’t hold a secret, you can’t lose it.”
At the same time, in today’s GDPR world, there is a growing need to capture explicit customer consent. Customers want more control over their data, with regulations in place to ensure their privacy is protected.
“The customer is king,” Cardinal notes. “The customer, the end user, the consumer is in control. They decide what data, from whom, through whom, for what purpose, and for how long.”
When consumer data compliance isn’t prioritized, there are big fees on the line. In 2021, the Luxembourg National Commission for Data Protection (CNDP) issued a violation fine of $888 million to Amazon Europe for noncompliance with GDPR.
The influence of new CFPB regulations
It’s true that many early adopters of open banking in Europe were regulatory-driven. In the U.S., though, embedded finance adoption has been largely market-driven, with common open standards developed to drive all this data exchange.
But things have started to move on the regulatory front in the U.S. The Consumer Financial Protection Bureau (CFPB) has proposed the rollout of new rules for open banking and consumer data rights in the next year or so. The rules would give consumers more control over their financial data while making it easier for them to switch banks to access better financial products and services.
Before the CFPB announcement, Canada had called for the elimination of screen scraping in a proposal. Despite their more measured and cautious approach, early outcomes of their efforts include published screen flows that emphasize reciprocity.
The idea is data consumers should be data providers, and data providers should be data consumers. The collective goal is to enable further innovation in the delivery of financial services.
Considering the significant trading partnership between the U.S. and Canada, interoperability is key. Standardization surrounding open banking supports this need. Rather than requiring proprietary connections for thousands of endpoints, a common open standard simplifies onboarding and improves the quality of data.
Eliminating screen scraping complements this initiative by creating a more efficient and secure means of data exchange. All the while, this shift will put banks one step ahead of regulations that will soon come down the pipeline.