Consumer Data Right review calls for ‘screen scraper’ ban, potentially making some fintechs unviable
A highly anticipated report seeks to draw a line under the gaping account security fudge banks have been railing against for years.
The highly anticipated statutory review of the Consumer Data Right, better known as Open Banking reforms, has called for a ban on the use of screen scraping technology, which requires consumers to share highly sensitive account details and passwords with financial technology companies (fintechs) to make many services work.
Released Friday and written before the Optus breach spilled personally identifiable information — including driver’s licences and passport details and numbers — of around 10 million people into the wild, the report seeks to draw a line under the gaping account security fudge banks have been railing against for years.
“Screen scraping should be banned in the near future in sectors where the CDR is a viable alternative”, the report of the CDR Review states.
“Importantly, the Government should clearly signal when and how the implementation of the ban would take effect. This would provide certainty and adequate time for businesses to transition, along with stronger incentives to invest in moving to the CDR.”
The call for bans has previously been bitterly opposed by many fintechs because the tech gives them cheap and easy access to consumer accounts without doing the heavy software development work for full secure CDR integration, which would make many unviable.
Screen scrapers usually work by using a program to extract visual data rendered on a screen and then send that to another application, often using an API.
Its primary use is to give fintechs or other transaction-based services some sort of access to users’ accounts so they can plug in value-added services or make comparisons.
The so-called ‘comparator’ industry, which includes the likes of Finder, Mozo and other price-checking websites that make money from referrals, is heavily reliant on screen scrapers because of the high cost of integrating secure data links with proprietary bank and utility systems and parts of the payments industry.
Finder has previously argued against banning screen scrapers in its regulatory submissions.
The CDR Review report also takes issue with the quality of data coming from financial institutions and businesses that the CDR is supposed to securely facilitate the exchange of.
“Data quality must improve for the CDR to realise its potential and provide a viable alternative to less secure practices such as screen scraping,” the report says.
“Participants, regulators and policymakers each have a role to play. In order to incentivise participation in CDR, Government should chart a clear path away from less secure practices and clearly signal that the CDR is the Australian data sharing system for accredited sectors.”
Security experts, including former Australian Cyber Security Centre chief Alastair MacGibbon, have questioned the wisdom of educating consumers never to share their passwords and credentials, only to then be told it’s OK to do so under the CDR.
Banks, including CBA, have also been attacked as anti-competitive by sections of the fintech industry when they send instant messages to customers warning that sharing account access credentials could affect their fraud liability if money is stolen.
Again, the CDR Review report finds that there are ongoing issues weaning businesses off scrapers.
“The strong privacy requirements of the scheme have supported the establishment of the CDR. They create a foundation of trust, safety and security, all of which will be central to engagement and uptake of the CDR from consumers and participants – particularly when compared to other, less secure data sharing mechanisms like screen scraping (also known as Digital Data Capture (DDC)),” the report states.
“It is recognised that these requirements have made participating in the scheme complex and costly for participants, and the ongoing impact of these obligations will have to be monitored.”
The Albanese government has previously indicated its support for continuing the CDR as a key competition reform.
On Friday, the government committed to strengthening the Privacy Act to address major data breaches like the Optus hack, with both the prime minister and home affairs minister taking to social media to declare Optus had accepted their calls for the company to cover costs to replace passports compromised by the breach.
CBA and Fintech Australia have been contacted for comment.
