BankThink

A Secure Alternative to Screen Scraping

For more than a decade, screen scraping has been the traditional method for moving bank transaction data into an app like Mint. But the technique, which involves a computer attempting to read and interpret the data on a web page, isn't ultimately helping the consumer or the bank.

For years, banks have loudly complained about screen scraping's burden on their technical infrastructure, while third-party personal financial providers bemoan the data inaccuracies.

Furthermore, both banks and nonbanks can agree that screen scraping is not a secure practice. Consumers typically provide a sensitive piece of information, like their bank usernames and passwords, to a third-party provider. That third-party provider passes the credentials to an aggregator before the data is passed to the bank to login. Multi-factor authentication — requiring a one-time code or special answer after the password — helps with security but is ultimately a poor outcome. App providers don't want to interfere with users' passwords.

Some banks have attempted to provide account aggregation tools themselves, such as Bank of America's My Portfolio product. However, consumers want more. They're seeking tools that help them make smarter financial decisions and reach their goals, and they aren't limiting themselves to one institution. Consumers need to be able to safely aggregate their financial data into a single portal.

When you take a look outside of the financial services industry, standard-based authentication structures used by Google, Facebook, LinkedIn and Twitter point us toward a clear solution: OAuth, an open standard for authorization. Under this system, the third-party provider can request an authorization token or key from the bank. Then, the bank provides its own form of authentication — without the third party seeing any customer data. After the user authenticates successfully, the token is provided to enable the customer access to the software for a period of time — from 30 to 60 or even 365 days.

The OAuth process is tested, secure, common and straightforward to implement. Third-party providers register applications for access — a step that lets banks monitor usage of their application programming interfaces. Both banks and customers can maintain control over what data is shared by limiting it to particular data sets, such as only credit card transactions or only retirement portfolio data.

While some extra work is required on the bank's side, using OAuth makes the consumer experience smoother, while helping all parties avoid security mishaps and miserable customer experiences.

There's already some precedent in the U.S.

In June 2016, Wells Fargo and Xero entered an agreement to “create a more secure and customer-focused model of sharing data between companies that have common customers.” Similarly, Capital One offers a developer API, and implements the OAuth specification so third-party companies can have secure access to shared customer data. These financial institutions are pioneering the next wave of innovation responsible for moving data — securely — outside of bank walls. More should follow suit.

While banks might be hesitant to provide access to this data, consumers are demanding choice and flexibility. Therefore, we should all team up to explore secure alternatives to screen scraping. Together, banks and third-party providers can come to terms with the care and handling of sensitive data to help consumers save money, achieve financial goals and acquire new financial services products.

Matthew Goldman is the chief product officer at Bankrate Credit Cards. He founded and led Wallaby Financial in 2012, which Bankrate acquired in 2014. Goldman is a board member of Innovate Pasadena and the Center for Innovation and Entrepreneurship at Claremont McKenna College.

For reprint and licensing requests for this article, click here.
Bank technology Fintech Mobile banking Digital banking Fraud detection PFM
MORE FROM AMERICAN BANKER