ASIC & ACCC: Screen scraping is a valid method of data sharing
Both ASIC and the ACCC have stated that they will not be banning ‘screen scraping.’ Australian fintechs, like open banking platform Basiq, welcome the position that digital data capture services remain necessary to fintech development in Australia.
With the Consumer Data Right (CDR) and open banking set to be rolled out in July, everyone is looking to CDR legislation to deliver an open banking regime. The reality is, that “open banking” and the use of consumer data to provide better financial products and services has been in practice long before the notion of a Consumer Data Right in Australia.
According to Basiq, whilst CDR legislation provides the mechanism and consumer protections to support ‘open data’, it is not the only enabler of fintech innovation. Innovative financial products and services, whether it be budgeting apps or better online banking experiences, are already widely available and adopted thanks to digital data capture services.
Despite this, news on the Consumer Data Right has led to drastic calls by major financial institutions to ban the practice of screen scraping. Aside from the obvious competition that fintechs pose for major banks, part of the debate behind calls for a ban is that screen scraping traditionally carries negative connotations when it comes to data privacy and security.
Basiq’s response is that screen scraping technology has evolved and from a security standpoint, there is little difference between using APIs as opposed to direct data capture methods. Both encrypt traffic over a HTTPS connection and both require an exchange of information for a token to complete the authentication process (login/pass vs API key) – meaning they are almost identical in nature.
ASIC’s most recent update to RG209 actually recognises digital data capture as a secure and effective method for data sharing – to achieve responsible lending. Rather than security, the main advantage of using open banking APIs is that the data received would be more structured thus reducing time-to-development (especially when retrieving data from multiple financial institutions). It would also provide prescribed guidance on handling of data and reduce the potential of misinterpretation.
There are numerous reasons a ban on screen scraping would simply not work. According to EY’s 2019 Fintech Australia Census, Australia’s fintech adoption rate sits at 58 per cent. A ban would not only disrupt Australia’s fintech industry, it would also impact the many consumers that rely on their products and services in everyday life. Additionally, uncertainty remains over many aspects of CDR, such as the participation timeline for non-major ADIs and how access to API data will be phased. In relation to phased API access, there will be a period of transition where digital data capture services are needed to supplement API derived data. Many Fintechs will require more than just product reference data from major banks (made available on July 1) to carry out business as usual.
The other limitation is that the CDR allows consumers to select which individual accounts they’d like to share with an accredited third party. Although the ability for a consumer to be in full control of the data they’re sharing is welcomed, it does have the unintended consequence of allowing consumers to engage in dishonest practices. For example, an individual may choose to omit credit card and other loan accounts when applying for a home loan. In these cases, digital data capture services can be used to return a holistic view of the individuals accounts and ownership.
Whilst practices like screen scraping could eventually be made redundant under a matured CDR regime, digital data capture services remain an important and necessary part of fintech innovation in the interim. As a result, rather than calling for a screen scraping ban, it is much more constructive to discuss how fintechs will transition from digital data capture methods to open banking APIs. In line with this, fintechs like Basiq are working in close alignment with CDR legislation as it is being updated. Most recently the company released their version of a CDR Customer Consent Flow to show what CDR will look like in practice.