When it comes to payment options, e-commerce users in Southern Africa have been massively constrained for most of the retail category’s history. Those fortunate enough to have credit or debit cards and access to a PC, still face cumbersome payments, with 3D secure and bank authorisations required to prevent online fraud.
The only other safe option is to use an electronic funds transfer (EFT). The trouble with that is that it’s slow and expensive. In a bid to get around the latter issue and open up e-commerce markets, a number of fintech companies have exploited gaps in the rules to create a workaround. It’s called screen scraping – and it’s dangerous.
Screen scraping involves third-party companies accessing consumer bank accounts by offering a portal that mirrors the bank’s online banking interface and feels like a typical online banking login page. The customer unwittingly enters their banking information, which is then captured and stored by the third-party fintech company. As a result, the third-party can log in to the customer’s account as if it were the customer, and the bank is unable to detect the difference.
Not Open Banking
In a bid to defend this practice, the companies behind it claim that it is analogous to Open Banking, the system of allowing access and control of consumer banking and financial accounts through third-party applications. But this is a false equivalency. European Open Banking laws were designed to improve efficiency, empower consumers, and level the playing field in payments by allowing customers to decide who can have access to their accounts for payment authorisation in a safe and secure manner. Additionally, the third parties who make use of these open banking provisions are well regulated and work directly with banks and financial institutions to access customer accounts in a more secure and faster way.
In South Africa, screen scrapers ignore the rules and operate under the radar. The consumer assumes that the payment is safe, secure and regulated, but it is not. And as much as the screen scraping companies might insist that they keep customer information safe, they cannot guarantee that is the case. Also, because the service is not approved by or aligned with the bank if the bank changes its web portal, the screen scrapers have to quickly catch the change to avoid transaction fails. This is to say nothing about the excessive fees charged for the ‘convenience’.
At the same time, as e-commerce becomes increasingly important to the Southern African retail space, it’s pivotal that outlets do everything they can to steer clear of fraud risk. But most attempts to reduce fraud come up against providing a good customer payment experience. For example, current card-based services, especially from an e-commerce perspective, require interactions that slow the transaction process down and increase costs and points of failure in transaction processing. The costs and limitations of card-based payments place a burden on retail and limit who can have a card and who can accept card payments.
A different approach
So, how do retailers provide a great e-commerce experience while keeping customers safe? What’s needed is a mobile, contactless, secure, cost-effective payments service that is instant. In order for that to happen, counties must eventually embrace true Open Banking. Additionally, the banking industry must develop secure control systems and protocols that require third-party providers to be identified and authenticated by banks as they access customer data. At a minimum, consumers should be warned about the risk they carry.
At the same time, payment regulations should be reviewed to ensure that legacy rules and constructs do not stifle innovation. Instead, they should encourage innovative new payments services that provide for data security and good practice. If banks wish to enter into agreements with secure account rail-based payments, regulation should not get in the way but rather promote secure alternatives for participating qualified financial institutions and payment service providers. But rather than siloed bespoke QR payments, the industry needs to embrace an open loop domestic account rail scheme instead of a domestic card scheme. We have an opportunity to embrace the future and not entrench the legacy technology.
As risky as screen scraping can be, it’s important to realise that it is a response to demand first realised in Europe. More specifically, it was able to copy and import an unsound foreign practice because monetary authorities and industry bodies in the region have not yet provided an alternative to card scheme-based services. If they instead provided a low-fee, instant, secure, anonymous, non-card-based token service on the account rails as an alternative, the threat of screen scraping would dissipate significantly, and e-commerce could make significant strides forward and include the majority of consumers.
By Murray Gardiner, MD of Bluecode Africa