Member Content

Understanding APIs, reverse engineering, and screen scraping

If you are looking at offering open banking for your business, you may have come across the term these terms. Let’s take a look at what they mean, how they are used, and what questions to ask your potential technology partners.

APIs – the main way TPPs gain access to open banking data

The main way Third Party Providers (TPPs) in open banking – such as Yolt – gain access to account information is through APIs, or ‘Application Programming Interfaces.’ This technology can be thought as the building blocks of digital services and is widely used by companies the world over. Think of Uber. Rather than spending enormous amounts of money to build its own maps, payments, and messaging services, it uses APIs from companies such as Google, Adyen, Twilio and Sendgrid, to integrate these services into its own app.

With regards to open banking, businesses can use APIs to embed open banking services such as payments or account information into their own businesses. For an example, see: How Jortt leverages open banking to automate SMB accounting.

Screen scraping – a less common method to access open banking data

There is another, less common method to gain access to bank accounts. Screen scraping, also known as direct access, allows TPPs to access your online bank account using your login credentials. With the credentials stored in their database, the TPP impersonates the user and gathers data by scraping the whole content from the account’s webpages.

It is important to note that traditional screen scraping, where TPPs impersonate the customer, was banned by the European Commission in 2017. However, screen scraping+, where TPPs can identify themselves to the banks as acting as TPPs, is still allowed.

Screen scraping was introduced because at that point there were no alternatives, but it carries several risks, including that TPPs can theoretically access information that the end customer has not necessarily consented to, it is not regulated, user login credentials may be at risk, and data connections to banks can be unreliable. For these reasons it is not advisable to use screen scraping as a method to access open banking data.

Reverse engineering APIs

APIs are far more secure than screen scraping. However, there are different ways that TPPs can build APIs, and some are more secure than others.

Reverse engineering involves the TPP building its own API to gain access to the customer’s account, via analysis of information shared between the customer and the bank on the bank’s customer interface. Reverse engineering APIs enables TPPs to interact with the bank’s server in the same way as the bank’s app does. However, it means that the TPP needs to store user credentials on their own servers, which is an extra security risk and also counter to the spirit of PSD2, which should ensure that customer credentials are never shared with any party other than the bank.


Read more here.

Share this Article
Related Insights
Holland Fintech Digital Transformation Paper 2024
Holland Fintech is proud to present the Digital Transformation Paper 2024. This whitepaper, led by the Holland Fintech working group Digital Transformation in collaboration with Accenture, provides valuable insights into the dynamics and key factors influencing successful collaborations between fintechs and incumbents.
Holland Fintech Pavilion at Money 20/20
Money 20/20 – Join our Pavilion! The Holland Fintech Pavilion offers a unique opportunity to connect with a global audience of fintech professionals. Located at the heart of Money 20/20, the pavilion provides a central hub for networking, collaboration, and exposure.
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 2-4 October 2024! Be a sponsor, co-organizer, or just participate in our community events.