Open banking hasn’t yet launched in Canada, but customers are already sharing their financial data in a way that banks, privacy advocates and policymakers have raised alarms about. Here’s what you need to know about the controversial data harvesting technique known as screen scraping.

What problem is screen scraping trying to solve?

Consumers and businesses often bank with multiple financial institutions. They want to be able to track spending, do bookkeeping and monitor their investments across all their accounts. Thanks to online banking, the data necessary to create software that would let them do those things exists. The problem is sharing it. Currently, there’s no standard, secure way for financial institutions to do that.

How does screen scraping work?

The method that regulators and privacy experts are most concerned about requires customers to give their online banking login and password to the firm that makes the spending tracker, bookkeeping application or other software they want to use. A bot then uses those login credentials to impersonate the customer and gain access to their account. The bot copies the online account’s transaction records and other data and saves it in a spreadsheet, where the software the customer wants to use can get to it.

What’s the problem with that?

The most obvious problem is that customers have to share their online banking credentials, which could enable theft, hacks and other issues if they fall into the wrong hands. Screen scraping is also prone to errors, since the bot that gathers the data has to update its code every time banks change their websites. It creates a variety of problems for banks, which have to deal with the increase in traffic from screen scraping bots as well as the security and liability risks the practice presents. Finally, as The Logic has reported, banks and fintechs aren’t always forthcoming about their use of the practice, which means customers might not realize they’re agreeing to share their credentials with an outside firm, and might not have had they been made aware of the risks.

How common is screen scraping?

The practice is widespread in Canada among big banks and fintech startups alike, since there’s currently no alternative way to make software that uses data from financial institutions. Some are concerned screen scraping has become so entrenched, it will be difficult or impossible to end the practice without a lot of disruption. Much fintech lending to small businesses, for example, relies on screen-scraped cash-flow data to determine eligibility. In 2023, the Department of Finance estimated nine million Canadians have shared their banking credentials with financial software makers.

Is anybody trying to put an end to it?

The government is in the process of implementing open banking, also called consumer-driven banking. It will require financial institutions to share certain financial data in a more secure, standardized way. Banks will have to create data feeds—called application programming interfaces, or APIs—and provide them to approved makers of financial software at a customer’s request. Customers won’t have to share their online banking credentials and software makers will only have access to the relevant data. The federal Liberals have announced they eventually intend to ban screen scraping after open banking goes live in early 2026.

TD Bank, Royal Bank of Canada and BMO jointly own Symcor, a tech company that makes a software platform designed to fetch data from banks through APIs and provide it to outside firms. That platform, called Cor.Connect, hasn’t gone live. In order for Cor.Connect and open banking to function, the banks will need to create and release APIs. National Bank is the only large Canadian bank to have done so, a feature it offers in partnership with Montreal fintech Flinks, which it owns a majority stake in.