For years, financial technology (fintech) companies have used screen-scraping to retrieve customers’ financial data with their consent. Think lenders, financial management apps, personal finance dashboards, and accounting products doing useful things: like, say, your budgeting app will use screen-scraping to get at the incoming and outgoing transactions in your bank account, using the information to power its analysis…
…putting your privacy, passcode and other security information in danger of getting lost along the way.
Because of those potential dangers to people’s privacy and data, many in fintech are urging the Australian government to follow in the footsteps of the European Union (EU) and to ban screen-scraping. But the call is far from unanimous, with some saying that smaller companies just can’t afford the alternatives to get at customer data.
On Thursday, representatives of companies in the fintech industry met with Australia’s Senate Committee of Financial Technology and Regulatory Technology to chime in.
As ZDNet reports, one of the calls for a ban came from Lisa Schutz, founding director of The Regtech Association and CEO of Verifier, who said that her company could use screen-scraping, but it’s chosen not to. That’s because they don’t want to step on her customers’ toes, privacy-wise, she said. Instead, Verifier abides by the 12 principles of Australia’s Privacy Act to access data: the “long way to get the right outcome,” she said, but worth it:
It comes back to what is the 2050 Australia that we want to live in.
The question of banning screen-scraping has come to pass thanks to the UK’s Open Banking initiative – a new, more secure way for consumers, including small businesses, to share information. It’s created a standardized way to share data and collect customer consent.
It’s an important security upgrade: one that means that, unlike with screen-scraping, passwords aren’t shared with third-party fintech service providers.
Some in the fintech industry want to ban screen-scraping outright, but not all. In fact, some argue, the only other option is to develop APIs – a prohibitively expensive proposition for the companies, some of which are pretty small.
Astrid Raetze, general counsel for one of those small companies – Raiz Invest – said that you’ve got the banks on one hand, demanding that screen-scraping be banned, while on the other hand, you’ve got fintechs that aren’t affiliated with banks that have no other alternative but to develop APIs under open banking to access data.
That would entail a lot of resources that they don’t have, she said:
[What it] doesn’t take into consideration is the disparity of resources between the two camps.
If you switch on open banking and turn off screen-scraping […] what you will do is hamstring the fintech industry.
Raetze said that if her company was forced to develop APIs because of a ban on screen-scraping, they’d be looking at development costs that have been estimated to run between a minimum of AU$1 million to AU$2 million and would require 6-12 months to complete.
But, the committee asked her, how can she confidently claim that screen-scraping puts customers and their data at “no risk?”
Because our security is solid and there are no transactions taking place, she said:
We have the same level security and we do not transact on your account, so there is no risk to you.
Another from the pro-screen-scraping camp was Luke Howes, managing director of Illion, who said that a ban on screen-scraping would be “simplistic and misguided”.
I have never seen, in six years, any consumer harm, because it’s safe. Banning it will cripple millions of users and businesses who rely on it. If you ban it, you’ll send an industry back five or 10 years.
But just because smaller fintech startups haven’t bungled data yet doesn’t mean they won’t, the big banks have been saying for years. Jim Routh – MassMutual chief information security officer, former CISO for Aetna, and former global head of application and mobile security for JPMorgan Chase – said back in 2014 in a conversation with American Banker:
Protecting credentials isn’t necessarily high on their priorities.
…a problem, he said, that’s worsened by data aggregators that collect marketing data, such as the device a consumer is using, to understand their behaviors across channels.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.
One comment on “Financial tech firms disagree on ban of customer data screen-scraping”
“We don’t transact”…. what’s missing is “but we can”. As far as I know, the only way to screen scrape is to log into the site…in this case the banking site.
None of my banks allow me to create a secondary read only account, whilst some may include 2FA for transacting, some do not. Ergo, the screen scraper has full access to the account. And since the screen scraper is not *you*, you’ve handed over your credentials to a 3rd party which is likely to be against the terms and conditions of your bank. Certainly it introduces some uncertainty in the event of account issues.
Are API’s really that hard/expensive to develop? Should it simply be a cost for doing business ?