Skip to Content

Screen scraping: a balancing act for banks

Joost van Putten
3 Mar 2022
capgemini-invent

The EU’s PSD2 aimed to bolster data sharing between banks and third-party providers (TPPs) while increasing the safety standards for customers. While the regulation steered banks to share customer data in a controlled way via APIs, many TPPs still rely on screen scraping, giving them unrestricted access to banks’ customer data. In the absence of strict regulation, banks will need to act to balance the benefits and risks properly.

APIs vs. screen scraping

With the introduction of PSD2, it has become possible for non-banks to initiate payments and retrieve transaction data, after a customer’s consent. This enables TTPs to develop innovative services such as money management apps. Banks were steered to develop APIs to give TPPs with a PSD2 license controlled and safe access to their customers’ bank accounts. However, due to various reasons (e.g., migration costs, lack of internal expertise and the unrestricted amount of data that can be collected), the practice of screen scraping is still continuing.

Screen scraping is a technology by which a customer provides its banking app login credentials to a TPP. The TPP then sends a software robot to the bank’s app or website to log-in on behalf of the customer and retrieve data and/or initiative a payment. Banks have less control over the data retrieved, which may go beyond account data regulated under PSD2 and may include any customer data available. While with an API, banks have greater control to share only the necessary data for the TTP’s service and customers do not need to share any credentials with TPPs.

Banks must pick their battles

On the one hand, banks benefit from enabling TPP’s to access their customers’ data and providing innovative services. Some banks may also practice screen scraping themselves. On the other hand, banks may want to be in greater control of knowing who is logging in to their bank accounts and don’t want to share more data with TPPs than needed. Data is the new oil and banks might not want to give it away too easily. Next to that, even though customers must give their consent to TPP’s, they might not always be aware of what they consent to. If personal data is shared unintentionally, this could hamper customers’ trust in banks.

As long as screen scraping remains common practice, banks should define a strategy to get control over it. We identified three types of strategies:

  • A passive strategy tackles the problem by appealing to scrapers and customers: state on your website discontent with being scraped and inform consumers which TPPs rely on scraping and its potential security concerns.
  • A proactive strategy impedes screen scraping and makes it more expensive. The methods differ in their complexity, effectiveness and negative impact on the website’s User Experience. Two examples are utilizing CAPTCHAs or deploying “honeytraps”.
  • An external software strategy, where banks can utilize external software to detect screen scraping bots. According to a Capgemini study, the top-3 external anti-bot services score above average on major criteria, where only one has experience in banking.

What’s next? A cat-and-mouse game.

Each screen scraping prevention strategy comes with its own benefits and concerns. But before banks start thinking about which one to implement, they should first and foremost earn the right to do so, by having a PSD2 API that is on-par with market standards and meets local requirements. The next step is to assess current measures taken to prevent screen scraping. From there, it is needed to assess the channels and data sources where it is desirable to start preventing screen scraping, as well as identifying certain parties that might be prevented for using the approach. Once a strategy is chosen and implemented, the cat-and-mouse game starts. TPPs may look to overcome measures taken by banks to block screen scraping – hence it is necessary to build an organizational capability with the ability to respond to counter measures initiated by TPPs. Combining this technical capability with legal and regulatory affairs will be vital.

Find out more

  • Read the blog ‘Everyone is Banking’ and ‘ here.
  • Read the blog ‘How is Open Banking simplifying the world of credit lending?’ here.
  • Watch the video series ‘Banking Insights’ here.

Authors

Alexander Eerdmans

Vice President & Head of Financial Services at Capgemini Invent Netherlands
Alexander Eerdmans is Vice President and Head of Financial Services (FS) at Capgemini Invent Netherlands. With a background in Finance, he has a wide experience in leading projects on Open Banking, FinTechs, and Financial Services. Alexander is always working on “What’s Next” in FS and encourages global collaboration, which enables unlimited possibilities.

Joost van Putten

Senior Managing Consultant at Capgemini Invent
Joost van Putten is a senior manager at Capgemini Invent Netherlands Financial Services. He has a background in innovation & strategy and has completed extensive work in the area of Open Banking and Payments. He has supported pan-European banks implement the Payment Services Directive 2 (PSD2) and has led multiple research studies into related market developments.
Titia Meijburg

Titia Meijburg

Senior Consultant at Capgemini Invent Netherlands
Titia Meijburg is a senior consultant at Capgemini Invent Netherlands in the Data, Finance, Risk & Compliance team. She has a background in banking and innovation. Titia has experience in projects on Open Banking strategy, Sustainable Finance Regulations and Risk reporting.

Illkirch-Graffenstaden

Senior Consultant Enterprise Data & Analytics at Capgemini Invent Germany