5 reasons why you should say NO to screen scraping when using open banking

4 min

...

Since the arrival of open banking in 2018 users can take advantage of a better way to have access to their financial data, instead of putting their trust in providers who use screen scraping.

Even though the PSD2 regulation in the European Union and Open Banking in the United Kingdom, have tried to eliminate screen scraping by using APIs, that didn’t come to fruition just yet.

Due to some banks fighting against the development of secure and regulated APIs to make consumers' financial data available, some third party providers (TPPs) still rely on screen scraping technologies to provide their services.

 

How does screen scraping work

From a customer perspective, it’s safer not to have access to certain financial data if it means opening a window to a considerable variety of vulnerabilities. It is true that providers try to mitigate these vulnerabilities as much as possible, but they are never fully gone.

Essentially, screen scraping works by allowing TPPs to access your online bank account, using your login credentials. With the credentials stored in their database, they impersonate the user and gather data by scraping the whole content of the webpages.

When accessing a user's bank account, screen scraping allows TPPs to view literally everything the user would see on their account, and grants them the ability to make any interaction, just like the user would.

For that reason, and not forgetting that there are always positives and negatives, here are 5 reasons why you should say no to screen scraping.

 

1. Give providers your credentials

For a TTP to be able to use screen scraping to gather users' bank data, they need to have full access to login credentials. As one of the basic internet usage safety measures, giving login details for any service to a third party is always a big “no no”.

2. Encryption challenges

TPPs need to have constant access to users' accounts to be able to provide updated information in regard to their finance data. To be able to execute constant scrapings, the credentials need to be accessible in an unencrypted way.

Even though TPPs might store customer information in encrypted files, they still need to have decryption keys available, often in regular text files, which can eventually become a desirable target for hackers.

3. Loss of control on what providers can see and for how long

When using regulated open banking APIs, users have a greater degree of transparency on which data they are giving consent to be accessed, and for how long that can happen. With screen scraping, that is not the case.

Since users need to provide their bank credentials, TPPs will always be able to do anything the customer would do. Due to this, a high level of trust must be maintained between the users and the TPP at all times. 

In regard to the duration of access, the only way to terminate the TPP’s access to screen scrape is by changing your credentials.

4. Possible violation of bank's terms and conditions, and  increase in liability

When giving a TPP access to your bank credentials, you are giving your consent for them to impersonate you while interacting with your accounts, and this might violate some bank’s terms and conditions.

With the growth of open banking and screen scraping through the years, many banks have adapted their terms and conditions to accommodate these practices. Even though they acknowledge that your account might be accessed by TPPs, they are very clear in highlighting that the user is ultimately responsible for any actions performed.

Considering that, it is important to remember that any possible mistake made by a TPP will not be covered by the bank, and it will be 100% user responsibility.

5. Frequent breaks in the integration due to little changes on the websites

For screen scraping to work, developers need to create an automated tool that accesses customer's online banking platform and recognises every single detail on the page, to be able to gather the desired data.

Not only is it very costly to develop these tools, but they are exceedingly high maintenance, since they need to be updated regularly.

Another downside is that every time there are any changes in the website design, no matter how big or small,  these tools shut down and aren’t able to perform their task until the developers adapt them to the changes.
 

Share
share on facebook share on linked

Article by

...Vitor Urbano
Recommended articles
API docs

This document explains how to integrate with Nordigen API to connect to your users’ bank account and access account information from bank PSD2 APIs.

API docs
Contact sales
Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.