Combating the risks of screen scraping: A guide for financial institutions

Open finance is reshaping how financial data is shared across the U.S. financial ecosystem. As regulatory expectations around consumer-permissioned data access evolve under Section 1033 of the Dodd-Frank Act, financial institutions are increasingly focused on how to provide secure, reliable access to consumer financial data while minimizing operational and security risks.

One of the most persistent challenges during this transition is the continued use of screen scraping, a legacy method of accessing financial data that relies on consumers sharing their login credentials with third parties. While screen scraping helped enable early fintech innovation, it introduces risks that are becoming increasingly difficult for financial institutions to ignore.

FDX estimates that more than 114 million accounts are connected through FDX APIs, a figure that continues to grow as institutions adopt standardized open finance frameworks. While this number continues to rise, a substantial amount of financial data access still occurs through legacy methods such as screen scraping, highlighting the continued coexistence of both models during this transition period.

Screen scraping is the automated extraction of data from user interfaces. Consumers share their online banking credentials with third parties, who then use these credentials to log in to the financial institution’s digital channels to retrieve data. Once credentials are shared, consumers often lose ongoing visibility into how their data is accessed or used.

Billions of consumer login credentials are stored outside financial institutions, increasing the risk of exposure of sensitive financial data. The CFPB has specifically warned that screen scraping creates “risks of over-collection of data, inaccurate data sharing, and the spread of login credentials.” If compromised, this concentration of sensitive financial information in third-party environments can create elevated risk across the financial ecosystem.

Recent industry breach trends have further underscored the risks associated with centralized credential storage outside financial institutions’ direct control. As regulators increase scrutiny on third-party risk management and data access practices, institutions must consider not only how data is accessed, but also how it is secured, monitored, and governed once it leaves their infrastructure.

While screen scraping enables broad connectivity, particularly where secure APIs are not yet available by financial institutions, it also introduces significant security, compliance, and user experience risks.

As open finance gains traction, institutions are increasingly seeking to deliver data via secure API connections. But the availability of APIs does not ensure that screen scrapers use them. These players may continue using screen scraping, especially where the financial institution is smaller or the API integration complexity is high.

Financial institutions standing up secure API-based data access solutions should also consider implementing effective strategies to block bot traffic from screen scrapers, minimizing negative impact on legitimate users, protecting consumer data and incentivizing secure data access.

Supplementing any API access with contractual commitments from the data recipients/aggregators will allow for a more robust execution of anti-scraping strategies but will only affect those that have already committed to API access.

Anti-screen scraping strategies

Many fintechs or digital service providers that leverage screen scraped data will attest to the fact that it is an unstable solution.

For example, when a consumer resets their credentials or a financial institution updates their digital banking experience, links often break. This gives way to a friction-prone consumer experience, potentially making screen scraped data unviable for fintechs as it creates a poor user experience, leading to potential loss of consumer trust or even attrition.

As financial institutions move along the continuum from disruption to full blocking, strategies tend to become more technically complex and cost intensive. This needs to be balanced against the level of consumer friction that is deemed acceptable, which is a decision that must be made by each financial institution.

Below are commonly deployed approaches, increasing in sophistication:

Low effort strategies

• Updating terms of use with prohibitions on unauthorized data access and sending communications to any screen scrapers violating terms. The effectiveness of such terms may be limited, particularly if a financial institution cannot show acceptance of the terms by the entity engaged in screen scraping. Nonetheless, this is a foundational step that every financial institution facing scraping activity should take.
• User-agent and IP blocking stops known bots based on patterns. If a scraper requests a non-browser user-agent string, the server can block all requests with that identifier. Similarly, repeated requests from a single IP address can be throttled or blocked using firewall rules. These controls are often circumvented by more sophisticated scrapers that rotate IPs or spoof headers, so they are most effective when paired with behavioral detection.
• Basic CAPTCHA uses challenge-response tests to filter bots. Displaying a CAPTCHA checkbox during login or throughout sensitive workflows ensures only human users can proceed. CAPTCHA challenges can also be applied to selected workflows to reduce consumer friction.
  

Medium effort strategies

• Rate limiting and behavioral detection throttles abnormal request rates and analyzes behavior. A login page might allow only five login attempts per minute from the same IP address, while analyzing click and scroll patterns to identify bots. It is critical to record consumer behavior and fine tune thresholds to ensure that legitimate users are not locked out. Some step-up authentication can be required once these thresholds are reached to ensure consumers are not affected.
• JavaScript-heavy frontends force scrapers to run complex client-side logic. Simpler, React-based portals delay account data rendering until multiple asynchronous interactions occur, complicating scraping attempts.
• Session tokens with CSRF protection ensure request authenticity. By embedding unique, session-specific tokens in form submissions, servers can block forged requests, such as those originating from third-party scripts or tampered automation tools.
  

High effort strategies

• Multi-Factor Authentication (MFA) adds a barrier against unauthorized logins. Even if a scraper successfully obtains a username and password, they will also need a time-sensitive OTP or biometric confirmation to proceed.
• Passkeys offer secure, password-free authentication through cryptographic key pairs designed to replace traditional passwords for logging into websites and apps. They are resistant to phishing and are more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication (MFA). The FIDO Alliance and major platform providers have promoted passkeys as a phishing-resistant authentication mechanism designed to reduce credential compromise.
• Certificate pinning and TLS enforcement prevents MITM attacks and traffic interception. A mobile banking app might embed a certificate fingerprint in its code and reject all connections that don’t match, thereby preventing proxy-based data harvesting.
• API-only access with UI restriction decommissions scraping surfaces in favor of secure APIs. A bank may restrict transaction data access to OAuth-based APIs and deprecate web UI pathways, requiring third parties to use approved, secure API connections.

Implementing blocking and perimeter security solutions

To effectively disrupt and/or block screen scraping attempts, financial institutions can implement a layered perimeter security architecture. The foundation of this approach is in deploying a Web Application Firewall (WAF), capable of inspecting and filtering traffic based on IP reputation, request frequency, headers, and payload characteristics.

Bot management platforms — such as those from Imperva and Cloudflare — can distinguish between legitimate users and malicious bots using behavioral analysis, device fingerprinting, and anomaly detection. Session integrity controls like CSRF tokens and anti-replay mechanisms enhance protection against unauthorized automation.

Further enhancements could include integrating CAPTCHA systems for sensitive workflows, enforcing HTTPS and TLS protocols, and using Content Security Policy (CSP) headers to limit browser behavior. Financial institutions can also use device-level security and certificate pinning on mobile apps to secure communication channels and detect tampering or emulator-based scraping attempts. When layered strategically, these controls form a resilient perimeter against known and emerging scraping methods.

The rise of AI-powered scrapers and future threats

Traditional bot mitigation tools are becoming less effective against AI-enhanced scraping techniques. As screen scrapers adopt AI techniques, such as computer vision, reinforcement learning, and LLMs to mimic user behavior and bypass traditional bot detection, financial institutions must evolve their defenses. These AI-driven bots can simulate mouse movements, respond to dynamic prompts, and even recognize visual elements on the screen, rendering legacy detection strategies increasingly ineffective.

To counter these advancements, institutions should invest in adaptive security frameworks that leverage AI for threat detection, anomaly scoring, and real-time response. Technologies like behavioral biometrics, challenge-response models tailored to each session, and continuous authentication are becoming increasingly essential. Collaboration with threat intelligence providers and industry alliances focused on open finance standards can also ensure defenses evolve in sync with the threat landscape.

Conclusion

Screen scraping presents significant security, operational, and consumer protection risks due to its reliance on credential sharing and automated access to financial institution interfaces. As open finance continues to expand, these risks are receiving increasing scrutiny from regulators, financial institutions, and technology providers across the financial ecosystem.

The industry is steadily moving toward models that prioritize secure, permissioned, and standardized data access. API-based connectivity, combined with strong authentication and clear data-sharing frameworks, enables financial institutions to support consumer-permissioned data sharing while maintaining appropriate safeguards for sensitive financial information.

Addressing screen scraping requires more than implementing technical controls. Financial institutions must also evaluate how they manage third-party access, oversee data recipients, and enforce secure data access practices across their ecosystem.

By working with experienced technology partners that provide secure data-sharing infrastructure and support robust governance frameworks, financial institutions can better protect consumer data, reduce operational risk, and enable a more secure and transparent open finance environment.

Learn more

Learn more about Akoya’s Open Finance Solution.

Check your financial institution’s open finance readiness with our interactive cost calculator and assessment tool.