Wells Fargo's Bid to Vanquish Screen Scraping

Editor at Large

Brett Pitts has had enough of screen scraping, and he has a strategy to end the archaic method for accessing bank accounts at Wells Fargo and the industry at large.

On Tuesday, Wells was set to announce that it's created an API, or application programming interface, so small businesses can have their bank account data poured directly into the accounting software provided by Xero. Previously the data could be transferred one of two ways: either the small business would have to type it in manually or the customer could give its banking credentials to a third-party aggregator, which would "scrape" the data off Wells Fargo's site. The former practice is cumbersome, the latter insecure.

The partnership with Xero is just the first of many Wells Fargo plans to execute in its quest to eradicate screen scrapes.

"We are on a mission to help lead the financial industry beyond screen scraping," said Pitts, head of digital for Wells Fargo Virtual Channels at the $1.8 trillion-asset institution. "It's not as robust as what we need from a security perspective; it's brittle in terms of ongoing customer experience management, and it can be frustrating for all the parties involved. So it's time to move beyond that."

Wells Fargo is doing what Jamie Dimon, CEO of rival megabank JPMorgan Chase, said he hoped to do in a section of his annual shareholder letter that criticized data aggregators.

Such firms tend to take more consumer data than they need to, they often access data even if an account is inactive, and their activities can lead to fraud, Dimon wrote.

"In the future, instead of giving a third party unlimited access to information in any bank account, we hope to build systems that allow us to 'push' information — and only that information agreed to by the customer — to that third party," Dimon wrote. "Pushing specific information has another benefit: Customers do not need to provide their bank passcode. When customers give out their bank passcode, they may not realize that if a rogue employee at an aggregator uses this passcode to steal money from the customer's account, the customer, not the bank, is responsible for any loss."

Screen scraping refers to the process in which customers give third parties their online banking user names and passwords so that those third parties can log in on the customers' behalf and copy and paste their account information into other programs. It's not exactly an elegant or cutting-edge use of technology and at times it has caused spikes in traffic that have led to outages. Security-wise, encouraging consumers to give out their online banking user names and passwords to third parties is arguably a worst practice. And if banks implement two-factor authentication, as their regulators and basic security hygiene mandate they do, screen scraping doesn't work.

"Screen scraping is legacy technology," said Kristin Moyer, vice president at Gartner. "APIs are a much cleaner way of sharing data."

APIs connect servers in a way that avoids all the problems of screen scraping — the sharing of user names and passwords, the overloading of banks' servers with high-volume requests, the inability to use two-factor authentication.

Europe's Payment Services Directive and the U.K.'s Open Banking Standard are pushing banks in those regions to open data and transactions to new market entrants through APIs, Moyer noted. "The U.S. doesn't have that same push, so things are progressing more slowly, but banks are testing and experimenting."

The Screen-Scraping Brouhaha

Screen scraping came under fire at the end of 2015, when banks were accused of stifling innovation by blocking personal finance app providers like Mint from accessing their customers' account information. Banks including Wells Fargo, Bank of America and Citi countered that the screen-scraping process many of these providers were using was not very effective and prone to a number of security issues.

"We didn't have any philosophical objection to [account aggregation tools] or a desire to stifle innovation," Pitts said. Wells Fargo was concerned about security and about giving customers visibility and control over the data they share, he said.

Banks like Wells Fargo, Capital One and Germany's Fidor Bank and the data aggregator Yodlee worked with the Financial Services-Information Sharing and Analysis Center's aggregation working group to reduce the risk of financial data aggregation, specifically by using OAuth, a token-based authentication technology.

Wells Fargo is using OAuth in its work with Xero. "We're doing this in as standard a way as possible, using technologies and approaches that are well understood, to make these sorts of integrations as straightforward as possible, and the model as consistent as possible," Pitts said. "Ultimately this is an approach that will be most effective if it's something that happens uniformly across industries."

OAuth-based data sharing creates a tokenized "handshake" between companies' servers similar to the way some websites let customers log in with social media accounts. The API removes the need for Xero customers to share their Wells Fargo usernames and passwords, and the need for Xero to store them in order to retrieve Wells Fargo account data.

"We routinely counsel our customers to never share their username or password," Pitts said.

The bank chose Xero as its first partnership in this area because the company was on board with the API concept and had innovative and customer friendly software, Pitts said.

"As we started discussions with them about screen scraping and the need to go into this more direct connection model, they understood instantly the benefits to all the players and they worked enthusiastically with us to create this first model," Pitts said. "It's a win for customers in terms of security and control and it's a win for them because they have a more direct, cleaner, more secure way of connecting with us to get the customer data in a way that's usable for them. It's a win for us in that it moves us away from the screen scraping practice we were less enthusiastic about and it helps maintain our place in the relationship with our customers."

Xero, which was founded in New Zealand but now has a U.S. headquarters in San Francisco, has more than 700,000 global customers, including banks in New Zealand, Australia and the U.K. and more than 20 U.S. banks. Most of its U.S. bank relationships go through the third party data aggregator Yodlee (which was acquired by Envestnet in November), which employs several methods of data sharing including OAuth and screen scraping.

"Rather than working through a third party, using a range of technologies that are less secure, we're seeing Wells Fargo understanding they should have this direct connection to their customers which allows us to do so much more," said Xero CEO Rod Drury. Xero also has a direct API set up with City National Bank.

"Wells Fargo serves one in three American households, so it's huge for us to be able to work with them," Drury said. The partnership should give Xero a leg up in its competition with its U.S. rival Intuit, maker of the popular QuickBooks small business accounting software. "Wells Fargo doing it is a major endorsement to what we're doing and is a real game changer. I think it will stimulate a whole lot of other projects inside major banks."

Unsurprisingly given the regulatory scrutiny around vendor risk management and third-party vendor security risk, Wells Fargo and Xero put each other through a stringent vetting process to understand their respective operations, technologies, customer experience commitment, scalability and security, Pitts said. Know-your-customer and anti-money-laundering rules were also part of the due diligence.

This is the first time Wells Fargo is opening an API to an entity other than a commercial client. Wells Fargo previously shared data via API with some corporate customers. In one example, it provided API access to retail complex developer Caruso Affiliated in December of 2014 that let the developer create apps for customers of The Grove shopping mall. The apps let them schedule pictures with Santa ahead of time, upload receipts and accumulate loyalty points. (Similarly, Silicon Valley Bank shares APIs with some of its large tech clients, so they can have the tools to create their own online banking interfaces.)

How It Will Work

When the integration is completed in the fourth quarter, small business customers that log into Wells Fargo online banking will be asked if they want to connect their accounts to Xero, and if so, which ones. The bank is building disclosures and explainers that will make plain to customers what they're agreeing to, what information they're agreeing to share, with whom and how it will be used.

"It's important that that's within the experience so that customers have that much better visibility and understanding than they have typically had in these arrangements," Pitts said. "That's something we and Xero have been spending a lot of time on."

Bank transactions and balances are automatically loaded into Xero, so the small business's accounting software is up to date each morning. (Prior to this, Xero clients would have to separately log in to online banking each day to see if they received any payments overnight.)

"That's one of the first important process changes to how small businesses work every day," Drury said. "The byproduct of that is they're completely up to date every morning, with real-time deal cash flow going on. Small businesses operate much better, they make more money, and they get paid faster when they are digitally connected with the bank."

One benefit to using the API as opposed to screen scraping is that when Wells Fargo redesigns its desktop software for small business clients later this year, there shouldn't be any interruptions in the way data is gathered for Xero. Under the old screen-scraping model, changes to the look and feel of online banking sessions could throw a monkey wrench in the works.

"It doesn't take anything as dramatic as a complete redesign. Even ongoing changes to customer experience, cosmetic things, routinely can break the scripts associated with screen scraping, which winds up manifesting itself in work on the data aggregator's side and interruption in customer experience — not on the banking side, but on the sites that are relying on this method," Pitts said.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Data security
MORE FROM AMERICAN BANKER