The main way Third Party Providers (TPPs) in open banking – such as Yolt – gain access to account information is through APIs, or ‘Application Programming Interfaces.’ This technology can be thought as the building blocks of digital services and is widely used by companies the world over. Think of Uber. Rather than spending enormous amounts of money to build its own maps, payments, and messaging services, it uses APIs from companies such as Google, Adyen, Twilio and Sendgrid, to integrate these services into its own app.

With regards to open banking, businesses can use APIs to embed open banking services such as payments or account information into their own businesses. For an example, see: How Jortt leverages open banking to automate SMB accounting.

There is another, less common method to gain access to bank accounts. Screen scraping, also known as direct access, allows TPPs to access your online bank account using your login credentials. With the credentials stored in their database, the TPP impersonates the user and gathers data by scraping the whole content from the account’s webpages.

It is important to note that traditional screen scraping, where TPPs impersonate the customer, was banned by the European Commission in 2017. However, screen scraping+, where TPPs can identify themselves to the banks as acting as TPPs, is still allowed.

Screen scraping was introduced because at that point there were no alternatives, but it carries several risks, including that TPPs can theoretically access information that the end customer has not necessarily consented to, it is not regulated, user login credentials may be at risk, and data connections to banks can be unreliable. For these reasons it is not advisable to use screen scraping as a method to access open banking data.

APIs are far more secure than screen scraping. However, there are different ways that TPPs can build APIs, and some are more secure than others.

Reverse engineering involves the TPP building its own API to gain access to the customer’s account, via analysis of information shared between the customer and the bank on the bank’s customer interface. Reverse engineering APIs enables TPPs to interact with the bank’s server in the same way as the bank’s app does. However, it means that the TPP needs to store user credentials on their own servers, which is an extra security risk and also counter to the spirit of PSD2, which should ensure that customer credentials are never shared with any party other than the bank.