The movement to open banking here in the states will prove more marathon than sprint — with twists and turns along the way, with the demise of screen scraping on the horizon.
Among the larger questions in the mix: What will be the role of the data aggregators, and how would scraping disappear?
As reported this week, The Clearing House Association and the Bank Policy Institute have stated that a proposed open banking rule by the Consumer Financial Protection Bureau (CFPB) does not do enough to protect consumer financial data. In broad strokes, the CFPB’s rule seeks to implement section 1033 of the Consumer Financial Protection Act of 2010 (CFPA) and require depository and non-depository entities to make available to consumers and authorized third parties certain data relating to consumers’ transactions and accounts.
Back in October, when the CFPB announced the proposed rule, the Bureau said that the Financial Data Rights rule would diminish reliance on the practice known as screen scraping, noting that “many companies currently access consumer data through screen scraping, which often requires people to share their usernames and passwords with third parties. This proposal seeks to move the market away from these risky data collection practices.”
Screen scraping, as a practice, has been around since the early days of the internet, and involves taking data that is displayed on a screen or application and transferring that data to another application. That data can (and often does) include sensitive information, touching on the login and financial details of individuals as they connect banking apps to their accounts. The apps that store the credentials “scrape” data at the most granular level, right down to transactions and account information.
The banks, historically, had relied on third-party aggregators — Plaid and Yodlee among them, along with other companies — to foster that connectivity. The consumer authorized the aggregator to log into their bank accounts to access and scrape the data. The criticisms that have been leveled at screen scraping center on the fact that, as noted here in this Federal Reserve research and elsewhere, that there are inherent security risks. The banks are unable to ascertain that the party logging in is the true account holder or authorized third party, and there’s no control over the information being accessed.
Seemingly beyond the aforementioned CFPB’s “movement of the market” as noted above, the TCH and BPI are calling for an outright ban on screen scraping. “Ban screen scraping: Screen scraping should be prohibited once a data provider has made a developer interface available,” the associations said in their letter. The letter did not suggest when a ban should take effect, or how it might take shape, though the BPI urged the CFPB at the beginning of last year to set a date. There are some groundswells already in place: Australia, for example, has been moving toward a ban.
The banks? They’ve been embracing the use of application programming interfaces (APIs), and some, like JPMorgan, have blocked some aggregators. But the marathon-like nature of a true migration is evident in this January 2023 letter from the Independent Community Bankers of America to the CFPB that notes “requiring banks to build and maintain a portal for third-party access is already a significant burden. The burden is amplified for smaller banks … Our members have expressed that sufficient time would range from five to eight years, and that implementation time be staggered based on asset size.”
It’s the movement toward APIs that underpins the evolution of open banking as the interfaces have standard security protocols. The APIs also can allow for the collection and transmission of permissioned, specific data elements. For the aggregators themselves, an evolution is in play. As Plaid noted here in May, the bulk of its connections have been facilitated by APIs, including 100% traffic for financial institutions (FIs) including Capital One and JPMorgan Chase, among others.
And in October, Fiserv and Plaid said they partnered to streamline connectivity as banks share data with outside entities. In an interview with Karen Webster in the wake of that announcement, Matt Wilcox, president of digital payments at Fiserv, said that APIs directly connect Fiserv’s client base of more than 3,000 hosted financial institutions to Plaid’s 8,000 third-party applications and services so that the FI need not conduct the “heavy lifting” to share data securely, reducing fraud and friction as data and accounts are continually verified. “The consumer has the ability to grant and revoke [data] access at an application level,” he said.