In November 2020, the National Payment System Department of the South African Reserve Bank (“SARB”) issued its “Consultation paper on open-banking activities in the national payment system” (“SARB Paper”). During the development of this paper, the SARB conducted a survey of screen-scraping practices and open-banking activities in the payments industry. Before exploring the outcomes of the survey, lets unpack and dive into these concepts.
The Euro Banking Association defines “open-banking”’ as “a movement ‘bridging two worlds’, making it possible for customers to use their banking service in the context of other fintech services, combining innovative functionalities from banks and non-banks with reach through infrastructure”. The Bank for International Settlements defines it as “the sharing and leveraging of customer-permissioned data by banks with third-party developers and firms to build applications and services, such as those that provide real-time payments, greater financial transparency options for account holders, and marketing and cross-selling opportunities”.
Open banking is enabled by technologies such as screen scraping and Application Programming Interfaces (“APIs”).
Screen scraping is the technology that reads and extracts data from a target website using computer software that impersonates a web browser to extract data or perform actions that users would usually perform manually on the website. In the payments industry, it involves a third party app which enables direct access to a consumer’s online banking profile, takes control of the Internet banking session and automates a payment on the consumer’s behalf. Screen scraping requires a customer to share his/her online banking credentials, including his/her login names, personal identification numbers (PINs) and passwords, with the third party (usually a fintech) practising screen scraping.
Screen scraping is attractive to criminals, as they can set up an illicit third-party payment provider business with the purpose of mining personal information and/or stealing customer funds and advantage may be taken of weak regulatory regimes.
Accessing customers’ financial information using screen scraping is generally regarded as less secure than APIs from data privacy and consumer protection perspectives. There have been growing interventions by regulators to combat this practice, as it poses risks to the integrity, safety and efficiency of payment systems as well as to the consumer.
APIs are software tools that enable different systems and apps to talk to one another and share data. APIs inaccessible to the outside world and internally focused are known as “closed APIs”. Open APIs, on the other hand, are used by third parties for creating offerings that may bring convenience to existing customers and/or increase customer reach. In banking, open APIs may be used to share customer data, with consent from the customer, within the organisation or with third parties. They enable consumers and businesses to obtain account information and initiate and track payments using third-party apps that connect directly into the banks’ systems in a secure and seamless manner.
Open APIs do not involve the sharing of login credentials and are widely considered a more secure way of giving third-party providers access to customers’ financial information to enable the provision of enhanced services than screen scraping.
On the downside, APIs could give banks too much power as they are usually owned by banks as custodians of customer data and the banks thus have control over what data to share or not to share, which could be anti-competitive and inhibit innovation.
SARB’s survey of screen-scraping practices and open-banking activities
The majority of the banks which participated in the survey, indicated that they do not endorse or support third-party use of screen scraping to access customer information, but do and would allow approved vendors to access such information using APIs, given that they are more secure than screen scraping. However, the banks noted they do not have mechanisms to block screen scraping as it is difficult to do so.
The SARB Paper makes numerous policy proposals in respect of open banking, including the following:
- A new class of third-party providers, with access to customers’ financial information, should be introduced, to improve offerings for customers, increase competition, and promote innovation. “Good” permissible open-banking practices must be distinguished from prohibited “bad” practices, that may include unsecure screen-scraping activities.
- All third-party providers in the National Payment System (“NPS”) should be regulated by the relevant authorities, such as the SARB and the Financial Sector Conduct Authority (“FSCA”) and be subject to open-banking technical standards, that should be developed and implemented. This could necessitate the establishment of open-banking working groups that may include NPS participants, regulators (such as the FSCA, the Information Regulator, the Prudential Authority, and the SARB), and other relevant authorities (such as the Competition Commission and National Treasury) and stakeholders.
- Third-party providers must:
- not store customer information;
- only use the information for its intended purpose;
- bear the risks and costs that they introduce to consumers;
- make the necessary efforts to prevent, detect and resolve any unauthorised access and/or data sharing;
- and be prohibited from the on-selling or distributing of data.
- In addition, they must put in place requisite insurance or guarantee mechanisms against possible losses, protect the integrity of the NPS and implement effective processes to mitigate operational risks and mechanisms to promptly respond to, resolve and remedy any data breaches, transmission errors, unauthorised access and fraud.
- Banks should provide access to customers’ financial information, with customer consent, to regulated third-party payment providers. Banks should grant non-bank payment providers access to their systems for the development of APIs as a safe mechanism to enable the sharing of customer data.
- Consumers should have practical means at their disposal to dispute and resolve instances of unauthorised access, the failure by merchants to honour purchase orders, and possible data breaches.
- Consumer education or awareness should be conducted as many consumers may not be aware of the potential risks when using third-party providers to effect payments or the services of data aggregators. Education should include an understanding that they have the right to withdraw consent at any time, provided that the withdrawal does not violate other legitimate obligations. Custodians of consumers’ financial information should ensure that the withdrawal of consent is made as easy as possible.
It is crucial that regulations relating to data sharing and open banking strike a balance between risk management and the promotion of innovation.
This article was first published by ENSafrica (www.ENSafrica.com) on 19 October 2021.
No information provided herein may in any way be construed as legal advice from ENSafrica and/or any of its personnel. Professional advice must be sought from ENSafrica before any action is taken based on the information provided herein, and consent must be obtained from ENSafrica before the information provided herein is reproduced in any way. ENSafrica disclaims any responsibility for positions taken without due consultation and/or information reproduced without due consent, and no person shall have any claim of any nature whatsoever arising out of, or in connection with, the information provided herein against ENSafrica and/or any of its personnel. Any values, such as currency (and their indicators), and/or dates provided herein are indicative and for information purposes only, and ENSafrica does not warrant the correctness, completeness or accuracy of the information provided herein in any way.