Can we please stop using screen scraping for bank connectivity?

Disclaimer: I’m incredibly biased. I’m a strong advocate for real bank APIs and I’ve commented before on just how flawed I think screen scraping is.

Screen scraping is still being used to this day, despite expert opinions, such as the one in a recent article by Behaviosec, revealing frightful facts about the technology. Regulators have investigated and reported on the phenomenon, deeming it “unsecure, inefficient, unregulated, and an unreliable method of data sharing.” And there have been heated online discussions around the use of this technology among fintech startups. Security is a priority when it comes to financial data sharing and screen scraping just isn’t able to provide a level of safety and stability that is needed for data exchange on this level. And yet it is still being used.

The hidden cost of data sharing

It has been spoken about before, but there is a valid concern when it comes to data security in screen scraping. Customers who would like to sign up for a service or make an online payment are asked to share their bank login credentials to allow the third party service access to their financial information. 

The list of security concerns is endless. Firstly, screen scraping has no set standards and each service has their own levels of security which are not regulated. Secondly, as screen scraping is a workaround rather than an established solution, data connection to the bank is unstable. If the bank’s platform changes slightly, the screen scraping service may struggle to reconnect and will need to take time to re-establish the link, meaning the end-user will experience an unstable performance. 

Thirdly, user’s shared passwords are stored in plain text, making them vulnerable to hacker attacks. Additionally, screen scraping platforms often use interfaces that mimic logos, color schemes and trademarks of bank institutions in order to confuse customers into believing they are imputing their financial information onto their bank. On top of that, these solutions can also be used by data thieves as a validation point for checking stolen credentials, as reported by BehavioSec.

Regulated PSD2 APIs guarantee secure connections

There is only one positive aspect of screen scraping and that is it allows open banking connectivity in countries that have no open banking regulation. For regulated and secure bank connections the only safe option for users is the real bank APIs. In Europe, PSD2 regulations standardised banks developing their APIs to facilitate access to financial data in a way that guarantees security and privacy. Only licensed third-party providers can connect to bank APIs. Security features such as Consent Management and SCA are set in place to give control to the end user and protect their data, not allowing it to be shared without their consent and knowledge. Connecting to banks through legitimate and secure connections also allows service providers and the customer to take advantage of anti-fraud systems already in place in most banks. 

When using real banks APIs, user bank accounts can only be accessed by third-party financial service providers that are able to demonstrate necessary data security standards, meaning when using a service provided by a licensed PSD2 regulated AISP, the customer can be assured that their data safety procedures have been approved by a regulator. 

As open banking continues to grow around the world, flawed and unsecure practices will eventually be phased out, and will instead be replaced by regulated and secure real bank APIs.  What we see in Europe today is that the use of unregulated bank connectivity is still happening, which is partly because of the slow initial rollout of PSD2 but also partly because we have somehow collectively fallen asleep by the wheel and let screen scraping become an 'unofficial standard' for connecting to financial institutions. Now that PSD2 and the UK's Open Banking Initiative are in their maturity stage, it's time to put screen scraping to rest.