At least three of Canada’s Big Six banks offer digital financial products that require users to enter their login credentials for external accounts, a practice known as screen scraping that has been widely criticized—including by the banks’ own lobby group—as insecure and risky.

BMO, RBC and National Bank all invite customers to enter their login credentials for online accounts held at other institutions, letting them unlock features that give clients a broad view of their finances, according to their own websites and terms of service. 

Screen scraping, which in its most risky form has a computer program access a customer’s financial account using their login credentials to gather data to power digital applications such as accounting software, budgeting programs and spending trackers, has become entrenched in the financial services sector. Screen scraping has been used by an estimated nine million Canadians, according to the Department of Finance, despite the widely acknowledged security risks.

Sharing online banking login credentials puts customers at risk of theft, hacks and privacy breaches. Privacy advocates, policymakers, banks and fintechs have all raised alarms about the risks posed by screen scraping. The terms of service of every major Canadian bank except National Bank prohibit customers from sharing their online banking credentials with anyone.

The federal Liberals have pledged to ban screen scraping after the early 2026 launch of open banking, a framework also called consumer-driven banking that’s meant to enable financial data sharing through secure, standardized feeds.

National Bank spokesperson Alexandre Guay did not directly address questions about the bank’s use of screen scraping, but in an emailed statement said the bank is the first Canadian financial institution to release a secure feed letting its customers share their data without disclosing their credentials.

BMO and RBC deferred to the Canadian Bankers Association (CBA), the banking sector trade association and lobby group, on questions about their use of screen scraping. CBA spokesperson Maggie Cheung said the organization “has no further comments on our members’ operational matters.”

The CBA has previously said it supports a screen scraping ban. The lobbying group also officially supports open banking, but has raised concerns about the risks it could pose to privacy, security and financial stability.

In a submission to a 2019 Department of Finance consultation on open banking, the CBA described third-party access to log-in data on behalf of customers—a fundamental of most screen scraping—as a practice that threatens the cybersecurity of banks and their customers. Storing bank login credentials makes fintechs and other external companies “susceptible to financial crime,” the submission said. The submission does not mention that banks engage in screen scraping as well.

Steve Boms, executive director of the Financial Data and Technology Association of North America, a pro-open banking industry association, said it’s a “dirty, not-so-secret” that in the absence of open banking the majority of financial data sharing in Canada—among banks and fintechs alike—happens through screen scraping. “It’s really no surprise that so many Canadian financial institutions are relying on screen scraping in order to power the tools that they provide to their consumers, because there’s really no alternative,” he said.

The CBA’s Cheung did not answer when asked what percentage of data from external institutions is currently shared through screen scraping by Canadian banks. She also did not answer how long banks will need to phase out the practice, but said the CBA is “eagerly anticipating greater clarity” from the Department of Finance on its plans to roll out open banking.

Department of Finance spokesperson Marie-France Faucher provided a statement that did not directly address questions about how the government will ban screen scraping given how entrenched it is among both banks and fintechs, and whether it is fair for banks to offer services to consumers that would potentially violate their own terms of service if offered by a competitor.  Open banking will “protect Canadians and the financial system by prohibiting risky practices like screen-scraping,” she said.

Eyal Sivan, general manager for North America with the U.K.-based open banking technology firm Ozone API and host of the Mr. Open Banking podcast, said fintechs, banks and other financial institutions are typically reluctant to disclose they’re using screen scraping because of its well-known drawbacks and risks. “Nobody likes it. It’s a badge of shame,” he said.

But the benefits for banks outweigh the costs, because consumers demand products that can currently only be powered by screen scraping, he said. “You’re constantly adding features that are going to compel customers to stay or come over… the desire to win or retain customer business trumps the risk.”

The features offered by Canadian banks that The Logic identified as using screen scraping all help consumers get a sense of their total financial picture across institutions—“a completely reasonable thing to want to do,” Sivan said. None of the banks discuss the risks of sharing online banking credentials or disclose that using the features may violate the terms of service of other banks.

BMO’s Total Look feature—which is only available in the U.S.—lets users track spending and budgets across multiple bank accounts. The feature requires users to share their online banking credentials in order to add external accounts, according to BMO’s U.S. digital banking agreement. An FAQ answers the question “Is it secure to use BMO Total Look?” by saying the bank doesn’t store any external account information and is “read only,” which means it can’t withdraw or deposit funds.

National Bank has an online tutorial showing how to add data from external accounts that shows users will be prompted to enter their online banking credentials when using the feature. The feature is available in Canada, according to its website.

RBC tells customers “don’t worry” in its instructions for how to link external accounts in its MyAdvisor platform, which provides online financial advice. “It’s a view of your accounts only; no money is transferred,” the guide says. The instructions display the logos of rival Canadian banks as examples of the institutions users can link data from by entering their online banking credentials.

The Logic asked the other Big Six banks if any of their products require customers to share login information for external banks. TD Bank spokesperson Julie Bellissimo said the bank “will continue to develop solutions to ensure we are meeting customer needs and expectations” until a secure alternative is in place through open banking. Scotiabank and CIBC deferred to the CBA.

Geoff White, executive director of the Public Interest Advocacy Centre, a consumer protection not-for-profit organization, said he understands it is in the business interests of banks to provide screen-scraping powered services like these to avoid losing business to fintechs and other competitors. However, he said they should provide clear, simple disclosure about privacy and risks when they do so.

“Everybody should be able to understand where this information goes, who’s going to use it, and what happens when things go wrong,” he said. “My grandparents should be able to understand it.”

Daniel Eberhard, CEO of the online bank challenger Koho, said in an emailed statement that screen scraping is “a universally bad solution.” He said the practice has become so widespread because of Canada’s slow progress on open banking, thanks in part to lobbying from the country’s major banks.

“We’ve made no progress on open banking in a decade,” he said. “For the CBA to lobby security concerns around open banking, while ignoring how much worse screen scraping is, is preposterous.”