As tides shift against screen scraping, complications abound for smaller FIs
- Screen scraping is experiencing increased scrutiny from regulators and competition from API-based solutions. The practice may finally be on its way out.
- But what would an API-based data sharing environment look like? How will the transition away screen scraping occur and would it be fair to all institutions?
Last year we covered the pressure building on community banks to move away from screen scraping, a practice that can cause issues like limited visibility, broken links in data sharing, data portability as well as fragmentation in customer experiences.
“Many providers that leverage screen scraping would login during the middle of the night and our customers would receive security alerts and unrecognized activity at odd hours. This would result in increased customer fears related to the security of their information and data,” Philip Suckow, director of digital and innovation at IncredibleBank, told Tearsheet last year.
This year, the currents are getting stronger in the tide against screen scraping, due to a mix of increased regulatory pressures as well as a growth in technology providers’ efforts to move towards an API-based environment. Last month, Jack Henry announced that it is continuing work to reduce inbound screen scraping to its Banno Digital Banking Platform, through the use of APIs to all five major data exchange platforms – Finicity, Akoya, Plaid, and Envestnet | Yodlee.
CFPB is coming for screen scraping
Due to the risks associated with screen scraping, the CFPB has been scrutinizing the practice and has begun a rulemaking process that aims to give customers more control over their financial data.
“This fall the CFPB will issue a new rule implementing Section 1033 of the Dodd-Frank Act, which establishes account holders' ownership of their financial data. In the new rule, we expect the CFPB to set a timetable for financial institutions to block all inbound screen scraping of accounts — with the ultimate goal of eliminating all credential sharing across the financial services industry,” said Lee Wetherington, senior director of corporate strategy at Jack Henry.
While larger banks have been generally successful at minimizing screen scraping, community banks and smaller credit unions have had trouble with overhauling their architecture to support APIs. The issues here are the associated costs as well as a lack of engineering teams in these institutions. This is why the Independent Community Bankers of America (ICBA) has requested the CFPB extend the deadline for removing screen scraping-based processes from current banking systems. ICBA has asked for a “sufficient timeframe” in which firms can test and develop different API-based solutions.
Similarly, The National Association of Federally Insured Credit Unions has also expressed concerns that a blanket ruling against screen scraping may end up supporting only the biggest players like large banks and credit unions. The Financial Technology Association, a group that represents the likes of Brex and Betterment, also suggests that API implementation schedules should be determined by asset size, where the smallest entities should have the longest deadlines to phase out screen scraping.
It remains to be seen how the CFPB will design the regulations against screen scraping, but regulations are expected to come in by the end of 2023 with the finalization of implementation to be released in 2024.
Looking under the hood: Jack Henry’s efforts against screen scraping
According to Wetherington, phasing out screen scraping has been a “herculean” task for Jack Henry. The firm began its efforts against screen scraping 5 years ago, and in 2021 announced open banking integrations with Finicity, Akoya, and Plaid. Its integration with Envestnet | Yodlee came later in the same year. In 2022, the firm expanded on its work with Mastercard and Finicity, making API-based data collection less expensive for smaller institutions. The difficulty in making this happen comes from negotiating with multiple stakeholders and then turning those negotiatory efforts into API implementations that work.
But are APIs all that they are set up to be? One problem that surfaced within our earlier investigations about screen scraping was that, while APIs are better, it can be difficult to revoke an API’s access to a consumer's information.
“One tap of a toggle inside the Banno mobile app or online banking UX will revoke or restore access to the respective third party with whom or through whom the account holder has been sharing data,” said Wetherington.
On the other hand, APIs are named as better alternatives to screen scraping because of their ability to remove fragmentation in UX as well as data portability. To make these ideals a reality, APIs have to be able to communicate with each other. This kind of communication is often achieved through standardization, which can ensure that every instance of an API understands the kind of information it is receiving from another instance. But the industry remains divided on the issue of standardization.
For example, Jack Henry is utilizing the Financial Data Exchange (FDX) API standard. This standard defines 660 unique financial data elements and 42 million consumer accounts are using the FDX API, according to Wetherington. “Jack Henry is an FDX member, and our partner, Mastercard, is a founder of the FDX consortium,” he said.
But others like Scott Weinert, CTO and co-founder of Atomic, a provider of API-enabled income and employment data verification service, told Tearsheet last year that standardization risks trapping firms in a cycle of compliance efforts that move them away from innovation.
“Everyone should be free to iterate on the design of their API. Standards should exist at the layer of communicating how your API authenticates and what the data structure is. For example, the standards should be in the areas of security and the limitations of your API,” Weinert elaborated.
It is clear that while the destination to open banking is in sight, the path toward API-based connectivity and its minutiae still needs to be determined. “Over one-third of account holders (100M+ consumers) share their financial data with 3rd parties, and, on average, one-third of all financial institutions’ digital traffic is malicious,” said Wetherington on the importance of making data sharing more secure and making screen scraping a thing of the past.
With the growth of digital banking, API-based efforts, as well as the pressure put on by the CFPB, the tide is likely to continue to move against screen scraping. Hopefully, the shifting waters will come with more clarity and consensus on what the future of data sharing and open banking could look like.