A MWM investigation revealed that FinTech companies in Australia are scraping and selling users’ sensitive banking data. The problem is more widespread than that, reports Callum Foote.
Cybercrimes are at record levels. And banks are now no longer automatically repaying customers who have been defrauded. It’s time to read the fine print because there is another way that customers are being screwed over.
Jill Berry is the CEO and co-founder of Adatree, an Open Banking technology platform founded to remove barriers for companies wanting to share data according to the Consumer Data Right (CDR) regulations set out by the Australian Information Commisioner.
She says: “In banking, the practice of scraping means giving a third party your login credentials, allowing it to log into your account on your behalf without your knowledge to scrape your data.”
You can see that this is problematic for several reasons: data security, breach liability, and a violation of your T&Cs for starters.
What is screen scraping?
Screen scraping is an automated process to collate content from a website or app by taking snapshots of data on a display for use somewhere else.
While it does initially require ‘permission’ from the user when they hand over their login details and password, the user has no control over the ongoing collection process.
It is essentially unregulated data sharing: the scraper can access it, download it, harvest it, sell it, and do whatever they would like with it without the active consent or knowledge of the customer.
The Australian Securities and Investment Commission has been pushing for open access to consumers data and have not yet responded to a request for comment.
Around the world
Screen scraping has been banned in the UK and Europe due to data privacy concerns.
Screen scraping does have legitimate uses as companies often need to access certain pieces of data on consumers to facilitate easy transactions or uses of their products. But there is an alternative that gives more control to the user.
According to the federal parliamentary Select Committee on Financial Technology and Regulatory Technology in 2020, companies that utilise screen scraping do so for a variety of reasons: “some companies access customers’ accounts on an ongoing basis in order to provide investment products or financial planning tools.”
The practice is used by almost all companies operating in the financial services sector. “Screen scraping technology is widely used by banks, lenders, financial management applications, personal finance dashboards, and accounting products,” the committee found.
Warns Nathan Lynch, money laundering and banking expert: “Consumers need to be careful that they haven’t breached their bank’s terms and conditions. With contracts, it is a grey area if you have given them [the fintech] your bank password.”
The alternative: Open Banking
In late 2017, the federal government introduced the Consumer Data Right (CDR), a regulated data-sharing regime that requires the explicit and informed consent of consumers for sharing data. The result is Open Banking.
Open Banking, means consumers control the specific use of their data, from the type of data, for how long, and who can use it.
Despite this alternative, the Australian government has yet to consider banning screen scraping and there is industry pushback to doing so. Why? It’s profitable to collect as much data as possible.
A MWM investigation found that Fintech companies operating in Australia request and access personal data (such as the Customer Registration Number – CRN) from potential new customers in order to assess, say, a credit application and then sell this information to third parties.
Optus Hack just tip of the iceberg. FinTechs harvest bank details and passwords, can sell them too
They use the data to be able to quickly process the application, but they then keep that private and sensitive data regardless of the outcome of that initial interaction.
According to a whistleblower: “We keep accessing those accounts to screen scrape all transactions and we keep access until the customer changes the password or sometimes the bank itself blocks our screen scraping as it shows up as malicious activity. This could happen months after the initial access to the customer’s bank details.”
The Financial Rights Legal Centre co-ordinator, Karen Cox, believes that without outlawing screenscraping, the uptake of Open Banking will be minimal in areas where companies have incentives to continue to sell consumer data.
Without a ban on these technologies, there is very little incentive for businesses such as payday lenders and debt management firms to become accredited under the CDR system and will be left to exploit Australians freely.
Banking peak bodies
Comment has been sought from the Australian Banking Association and Financial Services Council. While both organisations support Open Banking, neither has advocated for outlawing screen scraping.
For Jill Berry, “screen scraping is problematic, and it’s unfortunate that some organisations are defending its limited legitimate uses instead of finding other, more secure and consumer-friendly, methods to collect the data they need. The law is constantly trying to bridge the gap with technology, and CDR is a step in the right direction for digital rights and consumer control.”
It’s up to the tech sector now to see regulation as a chance to rethink practices such as screen scraping and use better, more ethical alternatives that put the consumer first.
FATF Chance: Senators tackle Australia’s status as paradise for white collar criminals
Callum Foote was a reporter for Michael West Media for four years.