‘Screen scraping is not evil’: Bankers, fintechs, aggregators face off
The Consumer Financial Protection Bureau held a gathering this week of bankers, fintech executives, consumer advocates and others to tackle a key data-sharing issue facing the bureau, and the event provided the parties an opportunity to have it out over a longtime bone of contention: screen scraping.
Part of the CFPB’s objective behind the event in Washington was to get input on what it should do about a clause in the Dodd-Frank Act (Section 1033) that gives consumers the right to access a portion of their bank account and transaction data in a usable electronic format. There was a broad consensus in the room that consumers should be in control of their data. But what that means, how it should be executed, who is liable if something goes awry and many other related questions lead to heated debate.
The bankers at the event, unsurprisingly, had harsh words for screen scraping, the method in which a lot of customer data is collected today. Consumers share their online or mobile banking usernames and passwords with a third-party fintech, that fintech or a data aggregator logs in as them and copies the latest data on their accou
“Screen scraping has reached its peak of benefit,” said Natalie Talpas, senior vice president and product group manager for digital at PNC Financial Services Group. “The consent is not clear. Screen scraping enables financial applications to collect all the data a customer would access. And we have a lot of security concerns about that. A more secure, efficient way would be through [application programming interfaces], which is what many of us are working towards.”
Lila Fakhraie, senior vice president of digital banking APIs at Wells Fargo, compared screen scraping to “giving your house key to a house painter and saying, 'Just go in my bedroom and paint that one wall, that's all I want.' And then the house painter has your key forever and they come and go as they please and they look at things and take things if they want.”
Wells Fargo has signed agreements with several data aggregators and offers Control Tower, a dashboard where consumers can turn data access off and on for third-party apps.
Nick Thomas, co-founder and chief technology officer at the data aggregator Finicity, defended screen scraping.
“I think we all agree that that credential access to financial data is not the best approach, but it has served us really well for 20 years,” he said. “There have been issues, and we have as an industry worked through some of those issues through the years. But generally speaking, consumers have spoken, they want access to their data, and screen scraping has been the only way that that data has been made available.”
He described screen scraping as taking an HTML page and deconstructing the tables in HTML to get access to the data.
“We need to make sure that we as an industry and as regulators and lawmakers understand that screen scraping is not evil,” he said. “We want to move to tokenized access, but there is a long tail of financial institutions, and it's going to take time for these API standards to proliferate.”
Christina Tetreault, senior policy counsel at Consumer Reports, said that while screen scraping may not be evil, “it is dangerous for consumers.”
Screen scraping also leads to data inaccuracy sometimes, she said.
“The web page changes, they pull the wrong data, and it’s inaccurate,” Tetreault said. “We've seen instances where screen scraping has caused changes to an account and mistakes to happen to accounts because there's not a lot of controls over it.”
Becky Heironimus, managing vice president of customer platforms, data ethics and privacy at Capital One Financial, elaborated on others' concerns that screen scraping gives data aggregators unlimited access to customer data in all accounts.
“The problem today with credentialed screen scraping is that they have access to all elements in the account,” she said. “The consumer really doesn't have control.”
She broke account data into three buckets. One is the basic account transaction data, which can be shared. The second is sensitive data like personally identifiable information, including account numbers, which could be used by fraudsters to harm the consumer. The third is proprietary data — a bank’s specific product terms, features and functions — “that today we don't see a need in the industry to be shared.”
John Pitts, policy lead at the data aggregator Plaid, immediately countered that when banks talk about proprietary data, they are talking about their rates and fees.
“It's in fact in the CFPB principles that those are the types of things to which the consumer has the right to access,” Pitts said. “And yet we hear sometimes that that fee, because it was derived from a proprietary method, is itself proprietary and the consumer doesn't have the right to share it. I'm troubled by that as a definitional line. If you can see it when you log in to your web interface or if it's essential to the functioning of the account, that is what you should have the right to access and share with a third party of your choice.”
Heironimus responded that there is a difference between sharing data one-on-one with a customer and providing it en masse to a data aggregator.
“There's a distinction between the right for the consumer to directly have it and the right for the consumer to hand that to a party that's collecting it on a scale of millions and millions of elements of data across the U.S. or the world,” she said.
Steve Boms, executive director of FDATA N.A., a trade group for fintechs and aggergators, said that data aggregators' attempts to pull bank account data fail 40% to 48% of the time.
This is because of technical challenges, the use of multifactor authentication, and in some cases financial institutions restricting access to data aggregators, Boms said.
James Reuter, president and CEO of First Bank Holding Co. in Colorado, noted that smaller banks are dependent on their core providers to help them create data-sharing APIs.
“But screen scraping is not the way we want to do business," and multifactor authentication is strongly encouraged by the regulators, he said.
“We use it frequently when we see activity that's suspicious,” Reuter said. “One of the things we face today are credential-stuffing attacks, and they look a lot like screen scrapers coming in, because they're machine-generated logins. We need to get to the API standards, and it's going to take a while with the core providers. But we're on the journey. We'll get there.”
Pitts pointed out that consumers have already decided they want to work with fintech apps that need to consume their bank account data.
“We are not talking about a future state where consumers might do this,” Pitts said. “Consumers have already voted with their thumbs that this is something they want and these third-party services are important to their life. Our shared objective is to make sure that having made that decision, the consumer is safe and can be confident in that decision.”
He said that banks, fintechs and aggregators are working on this through the Financial Data Exchange, where they are developing a common API standard.
But he also said it is important to make sure that as banks, aggregators and fintechs move from screen scraping to the use of APIs, consumers’ choices should not be restricted.
“One of the risks is that if every player is independently deciding which app is OK for their customers to use, they may override a decision that a consumer has already made,” Pitts said. “The consumer may have already said this is something that I want to use. It helps me in my life. It benefits me. And the consumer shouldn't have a different set of apps and services that they can use based on where they bank.”
Talpas argued that there are issues today around the way consumers give consent to use their bank account data.
“Consents are not consistent, they're not transparent, and they're not clear, unfortunately,” she said. “The Clearing House conducted some research in the fall that demonstrated that consumers don't understand what they're agreeing to. They don't know that there might be an intermediary or a data aggregator that's also collecting the information. We need to improve that consent experience as quickly as possible.”
Pitts said Plaid has rolled out a consent screen it provides for every customer who wants to use one of its customers’ apps. It introduces Plaid to the consumer and identifies Plaid's role in data sharing.
“I think there are still improvements that we need to make,” Pitts said. “We all want to make sure consent is the right for the consumer.”