Why Inkredo does not screen scrape net banking accounts
Inkredo automates bank statement analysis. But in order to do this, our customers have to upload the bank statements themselves (either through our API endpoints or through our dashboard). Screen scraping can automate this step; a computer program (with our customers’ permission and log in details) can use bank credentials to get bank statements automatically. This post explains why we choose not to do this.
Benefits of Screen Scraping
- The entire lifecycle of bank statement analysis can be automated. This means that lenders will save time that was previously directed towards collecting and uploading borrowers’ bank statements. Alternatively, people who were performing these manual tasks can do something else. Automation can increase productivity.
- Banks often use legacy systems with sometimes inaccessible interfaces with a lot of information that users must make sense of. On the other hand. FinTechs often stand out for their easy-to-use interfaces and can present the same information in a more accessible and comprehensible manner. FinTechs can take this data and make it more user friendly through screen scraping.
- Screen scraping enables open banking and drives creation of innovative financial products that benefit society.
- Screen scraping does not break the user experience of moving out of an app to download and then upload a bank statement.
Dangers of Screen Scraping
- Scraping HTML documents or using undocumented bank APIs can be costly for FinTechs to maintain in terms of time, money, and effort. Moreover, differences in API formats can exacerbate this problem for a company with customers who use different banks in different countries.
- The bank cannot differentiate between a human user and a computer program trying to log in with the right credentials. If a bank wants to authenticate a computer program but does not want to authorise it to do everything a human user can, it cannot do this.
- The human user is basically sharing their password. And even if a particular FinTech follows the best practices regarding storage and deletion of these credentials, not all FinTechs will. Moreover, the credentials will need to be encrypted where they are stored and in-transit. But they must be decrypted when the FinTech wants to use these stored credentials to access its customers’ bank account. This encryption-decryption dance is complicated and requires a carefully designed and resilient software architecture. Currently, there are no regulations that protect the human user.
- Screen scraping non-user data like flight prices cannot be compared with screen scraping user data that can be used for authenticating and authorising access to valuable resources like bank accounts. The landscape of risks involved changes drastically.
- For reasons mentioned above, screen scraping cannot be a long-term solution. It is possible that banks will create safe and secure API endpoints for FinTechs in the future. In other words, both banks and FinTechs might exist in a more cooperative ecosystem. And if we collectively invest in the screen scraping solution, the development of secure APIs might become a low priority task for these banks.
As a user-obsessed company, we want to abstract away technical details and let our customers analyse bank statements in the most secured way. But sometimes these technical details hide risks and we don’t want to expose our customers to these risks. Therefore, we have carefully considered the trade-offs involved and concluded that disadvantages of screen scraping outweigh the advantages.
This post was originally published on Medium by Drasti Shah.