Wells Fargo, PNC tell Trustly to stop screen scraping customer data

• Key insight: Large banks continue to battle with some data aggregators over screen scraping of customer data. 
• What's at stake: Screen scraping puts consumer security and fraud detection efforts at risk, the bankers say. 
• Forward look: Expect new data aggregators to sign API agreements with banks.

Source: Bullets generated by AI with editorial review

Wells Fargo has asked Trustly, a Stockholm-based data aggregator, to stop screen scraping the bank's customer data and to not use the bank's logo to do so. Wells Fargo and PNC have asked Trustly to talk to or work with Akoya, the data-sharing vendor they use, to consume the banks' data through application programming interfaces instead of screen scraping. Trustly did not respond to a request for an interview or comment.

This is the latest episode in the data-sharing struggle between banks, fintechs and data aggregators that has been going on for ten years. Fintechs like Chime and Venmo need their customers' bank account data to provide certain services, such as loans, payments and financial management. The fintechs rely on data aggregators like Trustly, Plaid, MX and Finicity to grab that data. The data aggregators used to rely on screen scraping: They would send fintech customers a screen that looks like their mobile banking homepage, complete with their bank's logo, and get them to type in their user name and password. Then the data aggregator would impersonate the consumer, log into the bank's online banking portal with those credentials and copy and paste the customer's bank account data. 

Banks started objecting to this activity, complaining it blocks their servers and messes with their fraud detection systems. In turn, fintechs at times have complained that banks were blocking them from access to customer data.

In September, JPMorganChase reached a deal with Plaid through which the data aggregator pays fees for the bank's data. Neither Wells Fargo nor PNC charge for their data, yet.

"We're in discussions on it," said William Demchak, chairman and CEO of PNC, during the bank's second-quarter earnings call. "I applaud what JP did. I think they're exactly right. I think there's a big cost to keeping this data secured and producing it in a form that's readable for our clients."

In 2020, several banks, including PNC and TD Bank, sued Plaid, accusing the data aggregator of knowingly creating a user interface that used the banks' trademarks, logos and color schemes to mimic actual bank login pages and "dupe [customers] into believing they are entering their sensitive personal and financial information in the bank's trusted and secure platform," as the TD lawsuit put it. Plaid settled these lawsuits and eventually hammered out data-sharing agreements with these and hundreds of other banks to share customer data through application programming interfaces, rather than screen scraping. Other large aggregators did the same.

So when security teams at Wells Fargo and PNC that monitor customer activity saw that Trustly was aggressively screen scraping, alarms went off. 

"Newer aggregators try to obfuscate their traffic to make it look like it's coming from a consumer," said a bank executive familiar with the matter. "When we see that, we say there's a better way, we recommend using a standard API."

In the two cease-and-desist letters Wells Fargo sent Trustly in early and mid-October, which were reviewed by American Banker, the bank demanded that the company stop screen scraping and discontinue use of its trademarked logos. Since then, Trustly has stopped using the bank's logos, but continues to screen scrape the bank's customers' data, according to people familiar with the matter. 

Trustly provides a "pay by bank" service that lets customers conduct transactions directly from their bank accounts. Its customers include Coinbase, MoneyGram and Western Union. Trustly has a relationship with Akoya and has an API, according to people familiar with the matter. It is unclear why it is screen scraping rather than using an API for Wells Fargo and PNC bank customers. In a comment letter on the 1033 data-sharing rule the CFPB published last year, that the agency's new leadership is rewriting, Trustly called screen scraping a "risky practice."

Sometimes fintechs prefer screen scraping because they want to obtain data that is not covered by an API. By screen scraping, they can obtain virtually any customer data they want, whether or not the customer has given permission to obtain it.