CBA reveals screen scrapers double its customer fraud propensity

The Commonwealth Bank of Australia has fired a broadside into widespread claims that the use of screen scraping isn’t boosting online banking fraud or hitting consumers, disclosing usually tightly held internal cyber security figures in response to questions from the fintech inquiry.

But it's not exactly shouting it from the rooftops.

A reply to questions on notice lodged with the Senate select committee on financial technology and regulatory technology published this week reveals Australia’s largest institution has calculated customers who have used data aggregators at least double their risk of copping a digital fraud hit.

The publication of the risk assessment is an eye-popper, not least because it is based on actual bank data rather than the usual rubbery figures and vague factoids regularly spun-up and bleated out by cyber security vendors and major consultancies spruiking their services.

CommBank doesn’t explicitly enumerate the losses it is copping as a result of the controversial data harvesting fudge; but the stinker of a risk number helps explain why the institution has played hardball on the issue to the extent of losing reputation paint, especially as a conga line of fintechs line-up to kick the bank and label it anti-competitive.

“CBA’s fraud analytics team conducted a study on the fraud propensity of customers who had logins via a data aggregator, where we could identify an aggregator. The analysis found that customers with logins via an aggregator are two or more times more likely to experience fraud, a statistically significant result at a 95 per cent confidence interval,” CBA’s general manager for government, industry and sustainability, Euan Robertson wrote.

“Whilst the study does not attribute cause for the statistical relationship, it does demonstrate a probable correlation between the unsafe banking practice of customers who share log-ons and password credentials with third parties and increased fraud. Behaviours that place customers at greater risk should not be encouraged.”

Robertson’s evidence provided to the committee comes after ASIC representatives played down the potential negative consequences of screen scraping in hearing prior to the CBA’s new evidence.

In evidence given to the fintech inquiry in late February ASIC’s acting executive director, financial services, Tim Gough said that “there's no evidence of which we're aware of any consumer loss from screen scraping.”

The CBA’s latest evidence, while not explicitly spelling out fraud loss numbers, essentially contests that assertion.

It also shifts the spotlight onto how the finance industry cop runs its review of the of the ePayments Code – essentially ASIC’s self-regulatory rulebook for attributing responsibilities and liabilities within the payments and banking ecosystem, will be a pivotal point for banks, fintechs, merchants.

Although down in the weeds of payments self-regulation, ASIC’s review of the ePayments Code is pivotal for banks because it could reset the anachronistic mechanism that allows banks and global card schemes to sheet back losses to merchants.

At the moment merchants, who pay handsome fees for everything from credit card slugs to buy-now pay-later clips, are forced to eat online losses that ride that ‘scheme’ credit card rails that also rope in debit payments made through Mastercard and Visa.

There are broad industry fears that fintechs and data aggregators who encourage the sharing of login credentials through screen scraping are unintentionally creating fraud data buckets that could be quickly weaponised if hacked.

Gough said in February that ASIC was “not planning to do anything drastic either” in terms of restricting screen scraping regulation.

A lot has changed since then.