While screen scraping is one of the earliest forms of opening up the mainframe, these days it’s widely considered unsafe. If you use an app where you have to enter in your log-in credentials to grant access to your banking data, screen scraping is occurring.
However, as open banking transverses the globe, screen scraping in the financial services industry is dissipating. In fact, the European legislation known as PSD2 considers it a security risk. It requires all payment accounts to make current customer account transaction data available via an API. Therefore, many European financial institutions no longer allow screen scraping.
There is no law mandating open banking in the U.S. However, the Open Banking Implementation Entity’s (OBIE) data sharing principles encourage banks to introduce APIs for sharing data.
Interestingly, TD Bank recently sued the fintech Plaid over their screen scraping practices. TD Bank accuses Plaid of trademark infringement and false advertising. They are claiming that the data aggregator creates a user interface that mimics TD Bank’s logos, color scheme and trademark in order to dupe customers into thinking they are inputting their financial information onto the bank’s platform. They also claim that Plaid stores the information on its servers and mines the consumer’s accounts in order to sell their data to third parties. Plaid denies all charges and stand by their methods.
As U.S. banks continue to embrace open banking and data aggregators receive criticism for screen scraping practices, will screen scraping become a relic of the past?
What Is Screen Scraping?
Screen scraping is the process of collecting screen display data from one application and translating it, so another application can display it. Introduced in the 1980s, banking applications and financial transactions most often use it to translate data from a legacy system to a modern application.
Fintechs connect to a user’s banking website through a web browser that runs on its server and saves the information. Then, they use screen scraping to access the user’s account details.
According to Steve Craggs of the leading infrastructure software market analyst and consultancy firm Lustratus Research, screen scraping is one of the earliest forms of opening up mainframe applications to external applications. Many mainframe applications operate with 3270 screens. By driving a 3270 data stream, an external program can appear to the mainframe as an actual 3270 screen.
Generally, the client side will present the user with a graphical interface. Next, they enter the input data and map it to the desired 3270 data stream to drive the required mainframe application.
Screen scraping allows a user to extract screen display data from a particular UI element or document. For example, a CICS transaction to return customer data from a customer number. A client application uses its preferred UI to gather the customer number. Then it maps the information into a 3270 stream, executes it on the mainframe, gathers the responding 3270 stream and maps it back to the local UI.
Pros and Cons
One of the main advantages of screen scraping is that it works without making any changes to mainframe applications. The mainframe is totally unaware that it is being driven externally; it thinks it is talking with a local 3270 user.
Additionally, it is easy to execute and is a relatively simple way to access a consumer’s banking data. It simply uses the interfaces that financial institutions already make available to their customers.
However, there are many disadvantages. If the mainframe application is heavily conversational, every interaction requires a trip back to the user location and then return to the mainframe, together with the mapping of a new data stream. This results in the performance suffering dramatically and this approach is not scalable. Overall, screen scraping best suites situations where the presentation layer is the only access point to the application.
Moreover, it is ripe for fraud, particularly when it comes to banking. Fintechs connect to a user’s banking website through a web browser that runs on its server and saves the information. This information is then stored in one location and is often unencrypted. While this is convenient, it can open up personal information to hackers. That’s why it goes against some banks’ terms and conditions to enable screen scraping by third parties. If fraud occurs, banks are not responsible.
Finally, screen scraping does not allow users to control the duration or scope of the access they give third party sites. Since they have the exact same permissions as the user, these third party sites have unlimited access. The only way to eliminate their usage is by changing the password.
Screen Scraping Alternatives
As open banking continues to grow throughout the world, it signifies the end of screen scraping in the financial services industry. Open banking API creation will now be the top priority for these institutions. They aim to further empower customers while also keeping their information secure.
Using GT Software’s Ivory Suite, eliminate screen scraping, and replace it with system process automation. Well-designed processes use smart APIs, thereby increasing security and efficiency. Instead of fintechs relying on screen scraping a banking institution’s web app, the bank exposes the application via an Ivory API that executes the mainframe transaction. Authentication is done by the API requester so that a user ID and password are not necessary. Rather, an expiring token is created in order to ensure maximum security.