Member Content

Understanding APIs, reverse engineering, and screen scraping

If you are looking at offering open banking for your business, you may have come across the term these terms. Let’s take a look at what they mean, how they are used, and what questions to ask your potential technology partners.

APIs – the main way TPPs gain access to open banking data

The main way Third Party Providers (TPPs) in open banking – such as Yolt – gain access to account information is through APIs, or ‘Application Programming Interfaces.’ This technology can be thought as the building blocks of digital services and is widely used by companies the world over. Think of Uber. Rather than spending enormous amounts of money to build its own maps, payments, and messaging services, it uses APIs from companies such as Google, Adyen, Twilio and Sendgrid, to integrate these services into its own app.

With regards to open banking, businesses can use APIs to embed open banking services such as payments or account information into their own businesses. For an example, see: How Jortt leverages open banking to automate SMB accounting.

Screen scraping – a less common method to access open banking data

There is another, less common method to gain access to bank accounts. Screen scraping, also known as direct access, allows TPPs to access your online bank account using your login credentials. With the credentials stored in their database, the TPP impersonates the user and gathers data by scraping the whole content from the account’s webpages.

It is important to note that traditional screen scraping, where TPPs impersonate the customer, was banned by the European Commission in 2017. However, screen scraping+, where TPPs can identify themselves to the banks as acting as TPPs, is still allowed.

Screen scraping was introduced because at that point there were no alternatives, but it carries several risks, including that TPPs can theoretically access information that the end customer has not necessarily consented to, it is not regulated, user login credentials may be at risk, and data connections to banks can be unreliable. For these reasons it is not advisable to use screen scraping as a method to access open banking data.

Reverse engineering APIs

APIs are far more secure than screen scraping. However, there are different ways that TPPs can build APIs, and some are more secure than others.

Reverse engineering involves the TPP building its own API to gain access to the customer’s account, via analysis of information shared between the customer and the bank on the bank’s customer interface. Reverse engineering APIs enables TPPs to interact with the bank’s server in the same way as the bank’s app does. However, it means that the TPP needs to store user credentials on their own servers, which is an extra security risk and also counter to the spirit of PSD2, which should ensure that customer credentials are never shared with any party other than the bank.


Read more here.

Share this Article
Related Insights
Since 2014, Holland FinTech has been mapping the fintech landscape, in the Netherlands and abroad.
Landing in the Netherlands
New to the Netherlands? Want to know who is who and where to meet them? Read all about the Dutch market, and find your path to successful market access!
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 12-15 September! Be a sponsor, co-organizer, or just participate at the summit or one of the countless side events.

How likely are you to recommend Holland FinTech?