Why the Consumer Data Right should replace screen scraping

The federal government continues in its effort to better understand why the insecure data-sharing practice known as “screen-scraping” as a form of data capture continues to be favoured over other forms of data sharing.

Screen scraping requires the sharing of login details including banking passwords with third parties that allows the third-party to login into a customer’s account to collect data, to be used in the provision of products and services. Data from screen scraping is widely used by fintechs and banks to price risk, validate income, or provide insights on customer spending or behaviour. It is also used by energy providers and non-bank lenders.

The Treasury is considering banning the practice in a bid to force data sharing across the financial services sector into the alternative open banking regime instead.

Organisations have been sharing consumer data for many years, in a number of different ways, via various information security methods, without the detailed (or even explicit) consent of their consumers. While proprietary methods of sharing consumer data exist, one reason screen scraping has stuck around is because the barrier to entry for small businesses is high.

Screen scraping is a proprietary method of sharing data which stuck around for as long as it did because it gives easy access to all the data available throughout the entire customer digital channel and there’s no obligation to get rid of the data at any point in time. So complete access to customer’s digital data is accessible for an unlimited time and therefore can be used for much more than its original intent.

Security risks from screen scraping

Screen scraping carries a lot of security risks as the sharing of account credentials can leave customers exposed to hacking.

Screen scraping also does not generally request consent specific to the data elements being shared, which means the consumer is in the dark about how their data is being used and stored. Moreover, consent is often not fully understood by the customer because it’s a blanket consent, which is very broad.

How they use the data, who they share the data with, for how long they keep the data for, are not required to be disclosed within the screen scraping practice.

Screen scraping also requires the screen scraper to store and use the customers credentials such as username and password for an indefinite period of time. In the case of internet banking, this often breaks the rules of banks and can leave the consumer liable or vulnerable for any losses due to the breach of that data.

Enter the Consumer Data Right

The Consumer Data Right (CDR) is an economy-wide reform being rolled out sector by sector in response to recommendations from multiple inquiries to develop a right and standards for consumers to access and transfer their information in a secure, usable format.

The government’s goal is to increase competition and streamline the flow of data through the economy whilst giving consumers control over their own data. These goals are supported by an ecosystem that is consumer-centric, secure and puts privacy first.

In a nutshell, the CDR enables consumers to securely access and share their data with accredited third parties to find better deals on everyday products and services.

Unlike screen scraping, the CDR is an opt-in service, giving consumers the choice about whether to share their data, with full visibility of who it’s being shared with, for how long, and the purpose for sharing it. By doing so, the CDR gives consumers greater access to and control over their data.

Data Holders can only share a specific consumer’s data upon request of the consumer. This data transfer happens at an individual consumer level, not in batches. This means data is not just made ‘available’ to Accredited Data Recipients (ADRs) to draw from at any time.

The CDR also forces the consumer to authenticate against their bank directly, not via the third-party service, and mandates specific consent language and details for the consumer to review and accept during the consent process. It also mandates a consent dashboard that allows for easy reviewing of consents and the ability to revoke consent easily. The process uses technology called APIs (application programming interfaces) and was designed using industry best practices to maximise data security. And more importantly, with the CDR, consumers are able to revoke consent at anytime, which obligates data recipients to delete the data that was shared forever.

For these reasons, the CDR is considered a more secure and viable alternative mechanism to enable data sharing as it mandates a standard integration specification for all participants to work against and a standard information security design that follows the latest industry best practices.

Originally published in Australian Fintech