The Truth Behind the Hubbub Over Screen Scraping
The Financial Services Information Sharing and Analysis Center is calling attention to the security risks and potential fixes to a common practice: consumers handing over online banking credentials to financial advice sites.
Following revelations of traders' chats about Libor-rigging and third parties' screen scraping, a group of banks and securities firms has acquired Perzo, a secure messaging platform, to make it their own.
It makes a good story to say that banks are trying to shut down fintech companies. But in the recent brouhaha over data aggregation sites, logic and facts sit mostly with the banks' side of the story.
Over the past couple of weeks Wells Fargo, JPMorgan Chase and Bank of America have been accused of attacking personal financial management companies like Intuit (owner of Mint.com) by preventing them from "screen scraping" customer information. (Many PFM and other data aggregators obtain customer data by logging in to customers' online banking accounts, using their user names and passwords, and literally copying and pasting the bank account information into their own or partners' apps, usually tools for helping consumers manage their money.) The banks, reports say, are sick of competing with the PFM providers and are therefore trying to cut them off from the data they rely on.
The banks deny deliberately blocking the aggregators and say there is no plot to thwart them. They acknowledge only that there may have been temporary glitches due to traffic overload and security changes. These, they say, they are working to resolve.
There are several reasons to give the banks the benefit of the doubt in this case.
First of all, the main PFM provider cited in the news reports is Intuit, a company with which many large banks have had relationships for years. It would be borderline crazy for the banks to try to shut down a major partner with a series of technical "glitches." It would be like Goldman Sachs trying to bring Bank of America down with a distributed denial of service attack. It's possible, but unlikely and very risky.
Second, it's a fact that the data aggregators' screen scraping activity drives spikes in volume to banks' online banking websites. To a bank server, the data aggregators' traffic looks and feels like an automated attack. To avoid blocking the aggregators' attempts to screen-scrape, banks have to maintain a whitelist of their Internet protocols. When banks' website servers are besieged with requests from customers and data aggregators at the same time, the banks are going to favor their customers and make the aggregators wait. That's why larger aggregators like Intuit have agreements with banks under which the aggregators access the banks' systems at certain times of the day.
Third, screen scraping is sketchy from a security point of view. For one thing, encouraging consumers to hand out their online banking user names and passwords to third parties is a bad idea – it leaves them vulnerable to phishing attacks and other forms of thievery. For another, the Federal Financial Institutions Examination Council has been pushing banks since 2001 to require stronger authentication on online banking accounts.
"Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation," the joint regulatory body says in its guidance on online banking authentication. "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."
Such added security layers, such as the use of a token or a text message to the customer's cell phone, would block data aggregators from screen scraping.
All of this is why the Financial Services Information Sharing and Analysis Center, banks and Intuit have proposed an alternative to screen scraping.
The Wall Street Journal reported that Bank of America suffered a four-hour outage in July that prevented two data aggregators from screen scraping its customer accounts.
The bank says it isn't aware of the incident. If an outage did occur, it had nothing to do with hostility toward aggregators, Bank of America maintains.
"Our primary reason for restricting or slowing down data flow is that the pipe is only so big, and during rare peak or unstable times, we have to restrict flow to something, so that customers who are banking with us directly can access their data," said a spokesman for B of A. "An easy way to think about it is we deal with essential and nonessential data. The aggregators are a part of the nonessential category. Essential data is data going back and forth between us, clients and customers. At peak or unstable times, you've got to make a choice. For us, it doesn't last long. It could be minutes or a few hours."
In other words, this is strictly a bandwidth issue. When the bank's servers are reaching their maximum load, they have to slow access or risk system-wide instability.
"It's not a, 'We're going after these startups and blocking their access' thing," the spokesman said. "We don't blatantly restrict their access as a matter of policy."
Bandwidth is a perennial issue.
"We're always working on bandwidth issues, not just for aggregators but as the data flow increases, the struggle for bandwidth increases," the B of A spokesman said. "There's only so much money and bandwidth to go around. It's a constant struggle around data sharing and having the capacity to share data appropriately with whomever you need to share data."
Wells Fargo, like Bank of America, says it does not know of any case in which PFM providers or other data aggregators have been blocked from its servers.
"We're not in the process of blocking aggregator traffic," said Brett Pitts, executive vice president and head of digital at Wells Fargo. "I'm not sure what's leading to the conclusion that we are. As far as we know we have done nothing intentional to block aggregator traffic."
The idea that aggregators are getting picked on because banks are afraid of the competition for their customers' attention is false, Pitts said.
"We're not interested in stifling innovation," he said.
In a statement, the bank suggested that a change to its online banking security policy may have accidentally stymied financial data aggregators.
"In our continuous effort to enhance the security of our digital banking services, we often add additional layers of authentication to protect our customers' information. These efforts may inadvertently impact the ability of financial aggregators to gather customer information," the bank said.
However, Pitts said, "We're not under the impression we've done anything along those lines."
As a separate but related issue, the bank believes there are more secure methods to share data with third parties than the ones used by aggregators today.
"Screen scraping is outdated, brittle and less secure now than alternatives," Pitts said. "We believe customers should have the ability to use these aggregator services, and be able to securely exchange information without having to expose their user names and passwords. We also think that customers should have transparency and complete control over which pieces of their data are shared."
Wells Fargo supports a model of data collection proposed by the FS-ISAC that tokenizes account authentication information and sends the data through secure pipes.
Intuit (owner of Mint.com), the primary data aggregation company cited in reports, would not make an executive available for an interview. The company only offered the following statement on the issue: "Delivering secure and seamless connectivity is a shared priority across Mint and thousands of our financial institution partners. We continuously work with them to ensure we deliver a great customer experience. This includes upholding our rigorous data stewardship and privacy policies. Our customers can be confident that Mint delivers ease and convenience while remaining focused on safeguarding their personal and financial information."
Another major financial data aggregator, Yodlee (it works with 300 banks and many fintech startups), says it is on board with more secure aggregation practices, and it has openly endorsed a data-sharing model proposed by the FS-ISAC that includes the use of OAuth token-based authentication technology.
"This technology is finally making it possible to reap all the advantages of account aggregation, without the risk of ever sharing, storing or accessing consumer credentials," Yodlee said in a statement. "This credential-less aggregation approach could provide significant benefits for the industry because it decreases operational risk and could serve to open international markets where aggregation has been stalled by regulation. It also ensures that the customer experience isn't disrupted, which ultimately drives engagement, satisfaction, and loyalty."
Capital One, Agricole Bank and Fidor Bank are testing the OAuth specification, which lets banks keep ownership of the customer login data but requires them to make an application programming interface available to others.
'Your Dog's Name'
JPMorgan Chase acknowledges that it throttled account access to Intuit for a several days in October when the company flooded the bank with data requests at a time when traffic was already high on the bank's website.
Meanwhile, Jamie Dimon criticized Mint and other tech companies at the recent Fortune Global Forum in San Francisco about the way they use screen-scraped customer data.
"A lot of this information is widely marketed and widely used, your dog's name, your housemate... when you sleep, what hotels you go to, what restaurants you go to and probably who you're with half the time. We get very diligent trying to protect ourselves and our clients," he said. The bank also warns customers of the risks of sharing their passwords with others on its website.
"I can understand why it may appear that we shut them down," said Trish Wexler, chief communications officer at JPMorgan Chase.
In reality, the October outage was simply due to traffic overload, Wexler said. "We worked with Intuit and we resolved it," she said. The bank has never blocked Yodlee, she said. (The Journal also reported that JPMorgan blocked Digit.co, another company that offers a savings app to consumers. Wexler said Digit uses the Intuit platform and was affected by the October outage.)
Like Wells Fargo, JPMorgan Chase says it remains concerned about the security and privacy issues around screen scraping, and is part of the working group developing the FS-ISAC's guidelines.
As is so often the case, the truth is more nuanced and less exciting than fiction.
Penny Crosman is American Banker's editor at large. She welcomes feedback on her column at email@example.com.