The federal government is examining why "screen-scraping" remains prevalent despite being an insecure data-sharing method. This practice involves sharing login credentials, including banking passwords, with third parties who access customer accounts to collect data for pricing risk, validating income, or analysing spending patterns. Energy providers and non-bank lenders also rely on this approach.
Screen scraping persists partly because barriers to entry for small businesses are high with alternative methods. The technique provides complete access to all customer digital channel data with no obligation to delete information, enabling indefinite use beyond original intentions.
Security Risks from Screen Scraping
Screen scraping presents significant vulnerabilities. Sharing account credentials exposes customers to hacking and unauthorised access.
The practice typically lacks specific consent for individual data elements, leaving consumers unaware of how their information is used, who it is shared with, and for how long it is retained. Consent is often blanket approval — broad and poorly understood.
Screen scrapers must store customer credentials indefinitely, which frequently violates bank policies and can leave consumers liable for breach-related losses.
Enter the Consumer Data Right
The Consumer Data Right (CDR) is an economy-wide reform rolled out sector-by-sector, developed through multiple inquiries and designed to increase competition and streamline economic data flow while giving consumers control. The CDR enables consumers to securely access and share their data with accredited third parties to find better deals and access more competitive products.
Unlike screen scraping, CDR is opt-in, offering full visibility into who receives data, for what duration, and for what purpose. Data Holders share data only upon consumer request, at the individual level — not in batches. Consumers authenticate directly with their bank, not through a third party, and the system uses industry best-practice APIs and security standards.
The system mandates specific consent language, provides consent dashboards for consumers to review their sharing arrangements, and allows easy revocation. Critically, consumers can revoke consent at any time, obligating data recipients to permanently delete any shared information.
The CDR represents a more secure and transparent alternative to screen scraping — one that establishes standard integration specifications and security designs reflecting current industry best practices. As the Treasury considers whether to ban screen scraping outright, the case for committing fully to the CDR framework has never been stronger.