Screen scraping is the process of extracting data from a website that is not intended to be accessed or parsed by automated means. It is often used to bank data, such as account balances and transactions, from websites that do not provide an API or other means of automated access. Screen scraping can be performed manually, by writing code to parse the relevant data from the HTML source of a web page, or it can be performed using a screen scraper, a tool that automates the process of extracting data from web pages. How can we protect data with access control technology?
The other day, The Clearing House and 11 banks invested in access protection firm Akoya. Now, JPMorgan tells Fintechs they have until the end of July to wean themselves off of screen scraping and move to a more restricted access control technology implemented in APIs.
In the past, screen scrapers, once permissioned by the user, could poke around and collect a wealth of data on an individual perhaps unassociated with what that individual gave permission for, such as other accounts and their balances. It is expected the API will prevent such meandering:
“The deadline is the latest move in the bank’s effort to transition fintechs and data aggregators to what it has said is a more secure way of accessing customer data.
Fintech startups, such as those that offer budgeting apps or digital wealth management, usually connect to a user’s bank account to gather the necessary data to provide their services. Some gather the data through aggregators such as Yodlee and Plaid, which is in the process of being acquired by Visa Inc (V.N), while others request that customers provide their password.
Through JPMorgan’s new method, fintechs will not be able to use customers’ passwords to access their entire financial data, but will instead connect to a set of bank programming code known as an API, that grants access only to limited account information authorized by the consumer.
The transition comes as large banks and fintech companies globally tussle over data-sharing. Banks have said their wariness to grant access to third parties stems from a need to protect highly sensitive information, such as transaction history and income.
Fintechs have been skeptical, arguing that it should be up to consumers, not banks, to decide what companies can look at that information.
JPMorgan said earlier this year that it was preparing to crack down on the use of customer passwords for data-sharing purposes, and had been discussing another method to access information since 2016.
However, some startups said they were surprised by the stringent requirements and strict deadline in the letter, according to one fintech source.
“We’ve been working on this with aggregators and fintechs since 2016 because our secure API is the best way to help our customers make smart money decisions more easily and safely,” Paul LaRusso, managing director of digital platforms at Chase, said in a written statement to Reuters.
The bank said companies that have agreed to JPM’s terms would be able to continue accessing customer data using existing tools, provided they have a concrete plan in place to move to the new method and are making progress toward that goal.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group