E-commerce and the dangerous rise of screen scraping
Bank customers are unwittingly giving their login details and information to unauthenticated third-parties
SA banks have been pushed into participating in a new transaction-type, without consultation. Card-based e-commerce transactions are cumbersome with 3D secure and bank authorisations required to prevent online fraud. The only other way to make an e-commerce transaction legally via electronic funds transfer (EFT), is slow and expensive. This has given rise to a fintech business model that creates a workaround taking advantage of a regulatory gap. It's called screen scraping.
Screen scraping is when third-party companies access consumer bank accounts by offering consumers a portal that mirrors the online banking portal and feels like a typical login page. The customer unwittingly enters his or her information, which is then captured and stored by the third-party fintech company. This allows the third-party to log into the customer’s account, and the bank is not able to detect the difference.
These third-party fintech companies make a false equivalency between screen scraping and Open Banking. European legislation that created Open Banking was designed to improve efficiency, empower consumers, and level the playing field in payments by allowing customers to decide who can have access to their accounts for safe and secure payment authorisation. Regulated third-parties work directly with banks and financial institutions to access customer accounts faster and in a more secure way.
Every payment service permitted to operate within the SA national payment system (NPS), including screen scraping requires approval by the South African Reserve Bank (SARB). Screen scrapers ignore regulations and have introduced a payment-type under the radar. The consumer assumes that the payment is safe, secure and regulated but it is not. The screen scrapers reply with a “trust me, I will not lose or sell or compromise your banking login details and account information”.
This clearly is not good enough.
The retail industry does not wish to see merchants and customers shopping at stores, and e-commerce sites, exposing themselves to increased levels of fraud. Current card-based services, especially from an e-commerce perspective, require an interaction with the customer that slows the transaction process down and increases costs and points of failure in transaction processing. The costs and limitations of card-based payments place a burden on retail and limit who can have a card and who can accept card payment. What we need is a mobile, contactless, secure, cost-effective payment service that is instant.
Demand for Open Banking will continue to grow and the SA banking industry needs to develop secure control systems and protocols that require third-party providers to be identified and authenticated by banks as they access customer data.
However, the rules and regulations applied to the NPS services should not stifle innovation. Innovative new payments services that comply with the security rules and regulations should be encouraged. If banks wish to enter into agreements with secure account rail-based payments, regulation should not get in the way and should simply provide a no-objection authorisation for participating qualified financial institutions.
Screen scraping arose as a means of processing an instant EFT because the SARB and the Payments Association of SA (PASA) have not provided an alternative to card scheme-based service. Now, SARB and PASA need to urgently provide a low fee, instant, secure, anonymous, non-card-based token service as an alternative before the screen scraping practice poses a significant risk to financial stability.
This article was paid for by Bluecode Africa.
Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.
Please read our Comment Policy before commenting.