ANZ tries to defuse screen scraping time bomb

The ANZ Banking Group has moved to defuse escalating hostility between the big banks and angry Australian fintechs amid accusations that incumbent institutions are using the issue of customer data security to smother competition by challengers.

As debate continues to rage over whether regulators should ban the increasingly common industry practice of screen scraping to onboard customers, ANZ’s chief data officer Emma Gray has proposed a system of different data sensitivity levels combined with trusted intermediaries to act as data or ‘insight’ brokers.

The proposal from ANZ represents a compromise or ‘third option’ in the row that has played out extensively during the government’s Fintech and Regtech inquiry that has been overrun with submissions.

Breaking the impasse

To date, the debate over screen scraping – which usually involves customers handing over their bank account access details like log-in credentials to external parties to access customer data – has hinged around fintechs going against decades of customer education not to share security credentials.

While the government and financial regulators are playing a straight bat on the issue, cyber security hard heads, including Alastair MacGibbon have cautioned against a credential sharing free-for-all.

The Commonwealth Bank of Australia has become a particular target for fintechs because it fires off alerts to customers warning them they could be violating their account security terms, and thus fraud indemnity, when it detects screen scrapers are being used.

While the CBA argues the maintenance of account security is paramount, fintechs have repeatedly slammed the bank and accused it of trying to lock out their businesses from making legitimate competitive offers under the Open Banking and the Consumer Data Right.

Accreditation row an awkward fit

The row between the big banks and upstart challengers in large part revolves around the CDR accreditation regime which imposes strict data security conditions to get data at an API level, with smaller players complaining the compliance requirements are onerous and would make them unviable.

As a fudge to get around the strict data sharing requirements that are still not mature, many fintechs – as well as many banks – use screen scrapers to harvest necessary account data.

ANZ does not see the issue as a binary question of whether to ban or allow. Rather it says the one-size-fits-all compliance model needs improvement and customer data access needs to be more nuanced and contextual

“One issue is the [access] regime currently has one level of accreditation to receive bank data. To get this level of accreditation, entities must prove they can meet a high level of data security. This is appropriate because the data currently in play is customer bank records,” ANZ’s Gray wrote on the bank’s Bluenotes forum.

“To lower barriers to entry, and maintain the ability to innovate while limiting the proliferation of data share in the economy, ANZ thinks additional (lower) levels of accreditation that are easier to obtain could be introduced. These ‘easier to obtain’ accreditation levels would link to either less sensitive CDR data, or simply insights from data, rather than the data itself.”

Least worst option

As it currently stands, the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission are essentially tolerating screen scraping as a stop-gap measure to allow access to open banking data until better solutions come around.

The fintech sector went into a frenzy on Friday after ASIC and ACCC executives on Friday told the government’s Fintech Inquiry there were no immediate plans to ban the controversial practice given its proliferation.

ASIC’s acting executive director, financial services, Tim Gough told the Fintech Committee that the regulator was aware that the use of screen scrapers didn’t gel with the message not to share passwords.

“We've said, and I think regulators consistently have said to consumers: 'Be careful with your passcodes. Don't share them with other parties.' We've been watching the extent to which consumers are being asked to moderate their behaviour to take advantage of these kinds of services, and particularly looking for evidence of consumer loss,” Gough said.

Definition of a loser

Gough said that currently “there's no evidence of which we're aware of any consumer loss from screen scraping,” and added that ASIC was “not planning to do anything drastic either” in terms of restricting the controversial practice.

“Our revised RG 209 acknowledges that screen scraping and digital data capture can provide access to information to be utilised as part of a responsible lending assessment process,” Gough said.

“We're otherwise watching, but we haven't seen a need to act to date. It's also a live question as we review the ePayments Code.”

The review of the ePayments Code, essentially ASIC’s self-regulatory rulebook for attributing responsibilities and liabilities within the payments and banking ecosystem, will be a pivotal point for banks, fintechs, merchants and consumers because much of it is arguably out of date.

For example banks are still able to shift liability for online card fraud to back to merchants because of an archaic loophole that dates back to a risk framework designed for mail-order purchases, chat lines and other potentially risqué over-the-phone card purchases that moved to the internet.

Under the current system, banks in Australia can and do shift around $450 million worth of online debit and credit card fraud riding on Mastercard, Visa and American Express’ payments rails.

Systemic worries

Fintechs are lobbying intensely for the revised ePayments Code to water down liability provisions that banks now use to chase customers away from screen scrapers, especially liability carve-outs around password sharing that can limit bank losses if customers knowingly and willingly expose or share their credentials.

However any such relaxation has many in the broader payments system deeply worried because of the potential for businesses that use screen scraping to become honeypots for hackers hunting for fresh meat now that technologies like card virtualisation are biting into fraud revenues.

Payments sources told iTnews the potential for customer compromise stemming from a hacked screen scraping user was far worse than credit and debit card fraud because it would be base bank accounts, not just the cards that run off them.

This could mean that people’s entire accounts would need to be scrapped and rebuilt in the event they were harvested and became “toxic”. In the event of a substantial successful raid, the cost of clean-up would be “exponentially” higher on source said.

A further concern is that the current Fintech gold rush is attracting a cohort of carpetbaggers from the payday lending and predatory credit industry who are than willing to push the regulatory envelope.

While ASIC gave evidence last Friday that it was yet to observe any “consumer loss” as a result of screen scraping, financial law and customer advocates have submitted that some lenders with scraped access to bank accounts wait for balances to fall before making targeted offers.

Lowering the bar

The way ANZ sees it, consumers Fintechs and banks should not need to bet the farm on a single level of data access and Gray argues that “Australia will have a hard time gaining ground in the digital economy if it doesn’t have consumer confidence in deployment of the CDR across sectors.” 

To help build that confidence, Gray argues that not everyone needs to see everything to get the answers they need to provide competing services under Open Banking.

One example cited by ANZ is contesting home loan insurance, where an offer requires proof of 36 months of up to date repayments from a mortgagee.

Gray sets out the scenario this way:

“A fintech could confirm this in two ways; both gives them the ability to provide the value add service:

First, with customer consent, it could access all of their loan repayment records by becoming an ‘unrestricted’ ‘accredited person’;

OR

The fintech could ask an unrestricted accredited entity that holds the data a simpler ‘yes or no’ question about whether the customer has been current on their mortgage repayments for the previous 36 months.

In this second scenario, the data is still quite sensitive and requires a level of security but it is clearly not as sensitive as having access to all of the customer’s data. The benefit of having multiple levels of accreditation is that the level of regulation is calibrated to the level of risk.”

The question that begs from that last statement is whether the fintech sector will be prepared to work with a “need to know” regime, or still seek access to customers’ accounts and data via screen scrapers.

Lost and found

With comparison sites like Finder now trying to turn a coin from account flipping under the CDR, those looking for speed and ease in access to data over security are pushing hard.

“If we were to rule out and get rid of screen-scraping we would essentially send Australians back 10 years,” Finder’s chief executive and co-founder Fred Schebesta told the Fintech Inquiry last month

“We obviously have to find the checks and balances and safe and responsible and regulated ways to do that, but we should work towards that and finding accredited ways to make that happen and let them join in with this new program. I wouldn't kill it, because we would be basically sending us all back in time.”

“Imagine a world where you could one-click switch your super. Imagine a world where you could one-click switch your mortgage. Imagine a world where you can make those changes now,” Schebesta implored the Fintech Inquiry.

Imagine a world where people didn’t steal money, respected your privacy or and sell customer data or rapacious loans the exploit the vulnerable.

Emma Gray’s modest proposal might not set the fintech world on fire, but it could achieve a much-needed middle ground before a consumer confidence is the CDR dented by a major incident or bank accounts being compromised by consumers being confused or duped into oversharing.