Faculty of law blogs / UNIVERSITY OF OXFORD

Screen Scraping in Finance: Myths, Reality and Lessons to be Learned for Europe

Author(s)

Natalia Jevglevskaja
Research Fellow in the ARC Laureate Project at the University of New South Wales in Sydney
Ross Buckley
Scientia Professor, and the KPMG Law – King & Wood Mallesons Professor of Disruptive Innovation and Law at UNSW Sydney, Australia

Posted

Time to read

4 Minutes

Would you give your bank account login credentials to financial service providers so they can download and analyse your account data to offer you financial services? While you may not, millions of people worldwide do. The practice is called screen scraping (‘SS’). It has boomed since the late 1990s as financial services companies—mostly FinTechs—use people’s banking credentials to ‘scrape’ data from their internet banking interfaces. As of 2021, over 10% of Canada’s and about 25% of the US population reportedly use financial services that employ SS technology. While official data on the use of SS in Europe is hard to come by, it is safe to assume its usage will be substantial, as it is in most markets.   

While SS poses serious risks for businesses and consumers, the practice has not been formally outlawed anywhere. Nonetheless, industry and consumer rights organisations frequently assert that SS has been generally outlawed in the EU and the UK. This is a striking assertion given it is utterly incorrect. In our recent paper, we analyse the legal and regulatory frameworks on the sharing of customer financial data in the EU and the UK to debunk this myth. We also propose that where governments facilitate or regulate much safer practices of transferring customer data via application programming interfaces (‘APIs’)­—such as in Open Banking and Open Finance—SS should be formally outlawed.

Two important details are ignored by those who believe that SS in Europe is banned. First, both the EU and the UK frameworks are limited in one significant respect, namely their focus on payments. In the EU, the move to customer data sharing in banking—aka Open Banking—was mandated by Directive 2015/2366 on payment services in the internal market (‘PSD 2’). It created a digital environment that enables customers to consent to third parties accessing their payment account information or making payments on their behalf. The legal foundation for the UK Open Banking framework is in Part 2 of the Retail Banking Market Investigation Order 2017 (CMA Order) and Part 7 of the Payment Services Regulation (PSR), which translated PSD2 into UK legislation. PSD2 is focused on payment accounts and applies to payment services provided within the EU and EEA. The UK framework is similarly limited to payment systems.

As a result, even where the exchange of customer payment account data between a bank and a third party offering financial services to a consumer (FinTech) functions well via an API, it provides only partial insight into a customer’s overall financial situation. As a consequence (unless a data holder provides access to other customer accounts beyond the PSD2 mandate), FinTechs offering, for example, consumer loans will not be able to access information on customer’s savings and investment habits, unless they use SS which offers visibility of all data held in the online banking channel.

Second, one must differentiate between the three constitutive components of conventional SS practice, namely accessing customer account credentials, the technical process of ‘scraping’ data from the customer-facing online interface, and the impersonation of the customer. The elements of impersonation and credential sharing concern the opponents of SS most. Only the element of impersonation, however, is no longer tolerated by the EU and the UK’s frameworks. This is the point that is often overlooked. Even though a FinTech must identify itself to the financial institution operating the customer account, it may still legitimately rely on a customer’s personalised security credentials to employ automated methods of ‘scraping’ data. The only instance where a FinTech is barred from using SS altogether is where a bank holding a customer’s account has implemented a compliant, stress-tested, and widely-used API. Further, as explained earlier, the value of the EU and the UK approaches to SS remains significantly constrained by its limitation to payment accounts which may make the use of SS attractive and even necessary.

Admittedly, SS has mattered historically. At the dawn of the FinTech industry, many businesses facing the unwillingness of banks to share customer data were forced to choose between using SS or having no access to data. Understandably, they chose SS. Today, however, ‘Open Banking’ and ‘Open Finance’ regimes in Europe and elsewhere seek to meet this need. And in some places the regimes are not limited to payments. In Australia, for example, Open Banking is merely the first step in the implementation of one of Australia’s most ground-breaking and important reforms—the Consumer Data Right which puts people in charge of the data businesses hold about them. In contrast to SS which gives businesses unlimited access to customer banking account data, CDR gives consumers a right to decide which data to share with third parties of their choice so these can offer a better value for money service. Notably, the regime has been devised as an economy-wide reform which makes Australia the frontrunner among nations working on data-sharing systems. The CDR has been recently extended to energy and telecommunications and ‘open finance’—including superannuation and general insurance—and other sectors will follow.

Under the CDR, only accredited trusted recipients are allowed access to data—joining the regime involves meeting stringent regulatory requirements. Without an outright ban on SS, businesses that consider this regulatory burden to be too heavy and data sharing via CDR as being too difficult will continue to rely on SS. This leads to inherently unsafe online behaviour and runs counter to good IT security practices and the explicit security advice provided by governments and most data holding organisations.

The EU and UK initiatives to limit the use of SS in relation to payment accounts serve as a precedent from which the Australian government should draw both insight and inspiration. Conversely, Australia’s initiative in extending data-sharing rights across all bank accounts, not merely payments, and to other sectors such as energy and telecommunications, are ground-breaking reforms from which the EU and UK could potentially learn much. We have analysed these potential lessons in an earlier paper.

Ross Buckley  is the Scientia Professor in Law at UNSW Sydney.

Natalia Jevglevskaja is a Research Fellow in Law at UNSW Sydney.

Share

With the support of