Two of Australia’s most prominent consumer protection advocates have warned policymakers that a failure to ban the endemic practice of commercial screen scraping under new consumer data laws will allow predators to flourish and infest Australia’s fintech sector.
As Australia’s banks and utilities sectors brace for new account portability laws to hit this year, the Financial Rights Legal Centre and the Consumer Action Law Centre have cautioned a major clean-up of data regulations is urgently needed to stop a new generation of shonks coming along for the ride.
The call to ban screen scraping is a major headache for some banks and financial services providers hoping to continue using the technology as a fudge to get around stubborn legacy systems that are costly to modify for open banking.
The main problem is the workaround, which increasingly fuels APIs, breaks a heap of basic data security practices banks have demanded from customers since they went online.
“The basic procedural premise of screen scraping is it requires a consumer to hand over their password and username details in order to access and analyse their data,” a joint submission to Senate Select Committee on Financial Technology and Regulatory Technology’s inquiry from the two advocacy groups says.
“This is an inherently unsafe online practice and is exactly the opposite to every other piece of online safety and security advice provided to Australians by both the online industry and in government advisories.”
Screen scraping has already been banned in the UK and Europe under Strong Customer Authentication rules, with third party providers there granted a transition period until March this year to wean themselves off the vulnerable technology.
With consumer legal advocates now persuasively arguing the same kind of scraping bans need to be imposed in Australia, key groups like FinTech Australia which have vehemently opposed such bans could soon have their lofty ambitions checked.
“Stopping data aggregators who utilise scraping techniques would kill the current fintech industry,” FinTech Australia wrote in its submission on Open Banking inquiry in 2017.
“It also provides a lower cost alternative for smaller banks, fintechs and institutions to innovate faster and meet their compliance obligations under any new regime, and means they may move to full API integration within a timeframe that suits them.”
One of the biggest problems with screen scraping outlined by the Financial Rights Legal Centre and the Consumer Action Law Centre is that the practice literally flies in the face of established consumer electronic security norms demanded by banks and overseen by the Australian Securities and Investments Commission.
A major sticking point is ASIC's E-Payments Code which determines consumer and institutional liability for issues like account compromises, fraud, misdirected payments and other problems.
Despite investing heavily in the fintech sector, banks have for more than a decade demanded consumers adhere to security and credential confidentiality protocols in return for wearing fraud liability, especially around identity theft, online fraud and skimming.
Importantly, the two consumer legal groups argue that modifying the E-Payments Code to cover consumers for fraud losses incurred by ASIC accredited fintechs as a result of screen scraping is “is nonsensical”.
The consumer legal groups claim such a move would “develop a parallel system to serve the interests of a small number of legacy FinTechs who are unwilling to change their business model to meet the higher standards and security requirements of the CDR regime.”
“Encouraging people to hand over passwords and usernames runs counter to all other security advice provide by the Australian government as outlined above. Even if it was safe to hand over log-in details in the Fin Tech context – which it is isn’t – it would undermine safe practices in all other online contexts,” the Financial Rights Legal Centre and the Consumer Action Law Centre said.
Having a lend
Some of the companies heavily reliant on screen scraping are nothing more than rapacious and ethically bereft payday lenders looking for a slick image change using fintech chic, if the case studies of consumer harm in the consumer legal advocates’ submission are anything to go by.
And the data they use is conveniently flaky too, especially when it comes to responsible lending.
In one example cited, a man dubbed “Gavin” who was hooked by payday lenders for $4000 had a loan approved on aggregated data that Financial Rights Legal Centre said was “riddled with errors – including categorising his café payments for coffee as rent.”
In another case a man dubbed "Edward" who went around shopping for a loan found himself signed up before he could blink when he provided details ostensibly to determine an interest rate.
“Edward responded and provided information to begin a process he believed would lead to him being provided with an offer. As a part of this process Edward was required to provide his details to his bank account and to obtain his credit report in order for him obtain his “tailored interest rate,” the Financial Rights Legal Centre case study said.
“Before he knew it Edward had been approved for a $15,000 loan with the money deposited into his account. Edward had only been shopping around and had not expected to be provided with the money - merely an offer.
“The lender refused to rescind the contract until they had been told that he had contacted Financial Rights. In the meantime Edward had in fact found a better deal and wanted to go with this other lender,” the case study said.
That really is an offer that’s hard to refuse.