Still have a Yolt app account? See our FAQs here.

Understanding APIs, reverse engineering, and screen scraping

If you are looking at offering open banking for your business, you may have come across these terms. Let’s take a look at what they mean, how they are used, and what questions to ask your potential technology partners.

open banking API

APIs – the main way TPPs gain access to open banking data

The main way Third Party Providers (TPPs) in open banking – such as Yolt – gain access to account information is through APIs, or ‘Application Programming Interfaces.’ This technology can be thought as the building blocks of digital services and is widely used by companies the world over. Think of Uber. Rather than spending enormous amounts of money to build its own maps, payments, and messaging services, it uses APIs from companies such as Google, Adyen, Twilio and Sendgrid, to integrate these services into its own app.

With regards to open banking, businesses can use APIs to embed open banking services such as payments or account information into their own businesses. For an example, see: How Jortt leverages open banking to automate SMB accounting.

Screen scraping – a less common method to access open banking data

There is another, less common method to gain access to bank accounts. Screen scraping, also known as direct access, allows TPPs to access your online bank account using your login credentials. With the credentials stored in their database, the TPP impersonates the user and gathers data by scraping the whole content from the account’s webpages.

It is important to note that traditional screen scraping, where TPPs impersonate the customer, was banned by the European Commission in 2017. However, screen scraping+, where TPPs can identify themselves to the banks as acting as TPPs, is still allowed.

Screen scraping was introduced because at that point there were no alternatives, but it carries several risks, including that TPPs can theoretically access information that the end customer has not necessarily consented to, it is not regulated, user login credentials may be at risk, and data connections to banks can be unreliable. For these reasons it is not advisable to use screen scraping as a method to access open banking data.

Reverse engineering APIs

APIs are far more secure than screen scraping. However, there are different ways that TPPs can build APIs, and some are more secure than others.

Reverse engineering involves the TPP building its own API to gain access to the customer's account, via analysis of information shared between the customer and the bank on the bank's customer interface. Reverse engineering APIs enables TPPs to interact with the bank’s server in the same way as the bank’s app does. However, it means that the TPP needs to store user credentials on their own servers, which is an extra security risk and also counter to the spirit of PSD2, which should ensure that customer credentials are never shared with any party other than the bank.

The gold standard in security and privacy – PSD2 APIs

By contrast, TPPs can also build their own APIs to strict PSD2 standards – such as Yolt - which do not store customer data on their servers. This has a number of benefits, including greater privacy for end users, and greater security for all stakeholders.

If you are looking to partner with an open banking TPP, it is wise to ask whether they use screen scraping and/or reverse engineer their APIs, and to think critically as to whether the risks involved are worth it. Or you can partner with a TPP such as Yolt, which builds APIs to PSD2 standards without any screen scraping or reverse engineering practices.

Find out more

Contact us


Leave your details and one of our YTS experts will be in touch.

Thank you for your interest in YTS. We'll get in touch with you within 2 working days.