Redbark vs Budget Feeder: How Your Bank Data Gets Accessed Matters
Budget Feeder and Redbark both sync Australian bank transactions to YNAB, but the way they access your data could not be more different. Here's why it matters for your security and your fraud protections.
Budget Feeder and Redbark both solve the same problem: getting your Australian bank transactions into YNAB automatically. But the way they access your banking data could not be more different, and that difference has real consequences for your security and your fraud protections.
What follows is a detailed look at how each service works, what the Australian government and major banks have said about the practices involved, and why you should care.
How Budget Feeder works
Budget Feeder syncs Australian bank transactions to YNAB for $5.99/month. When you connect a bank account, your browser is redirected to illion Open Data Solutions, which handles the actual data retrieval. illion's technology works by screen scraping: you provide your internet banking username and password, illion's systems log into your bank as you, and extract transaction data from the HTML.1
Budget Feeder states that it "does not directly request, handle or store your banking credentials at any time"2 -- but that's because illion does it on their behalf. Your credentials are still being handed to a third party and used to impersonate you at your bank's login page.
To address the obvious conflict with bank terms of service, Budget Feeder requires users to grant a "Limited Power of Attorney" when accepting their terms.3 This is their legal mechanism for framing credential sharing as "authorised agent access" rather than a terms of service violation. It's a creative construct, but it has not been tested in court, and banks do not recognise it.
How Redbark works
Redbark uses Open Banking (the Consumer Data Right) via Fiskil, an ACCC-accredited data recipient.4 The flow is:
- You click "Connect" in Redbark and are redirected to your bank's own website
- You log in directly with your bank using your normal credentials (including MFA)
- You approve a specific data-sharing consent
- Your bank issues a secure OAuth token to Fiskil
- Fiskil uses that token to retrieve your transaction data
Your banking password never passes through Redbark or Fiskil. Authentication happens directly at your bank. Consent is time-limited (maximum 12 months), scoped to specific data, and revocable at any time through your bank's consent dashboard.5
Why the difference matters
1. You may lose fraud protection from your bank
Under Australia's ePayments Code, you must not voluntarily disclose your passcodes to anyone, including family members (Clause 12.2).6 If your account is compromised after you've shared your credentials through a screen scraping service, your bank can argue you contributed to the loss by breaching passcode security requirements, and refuse to reimburse you.7
The Treasury's own discussion paper on screen scraping states explicitly that "consumers who share login details through screen scraping may lose protections available to them under the ePayments Code to be indemnified for losses caused by unauthorised transactions."8
With Open Banking, your credentials are never shared with a third party, so this liability question doesn't arise.
2. Screen scraping doubles your fraud risk
CBA's fraud analytics team found that customers with logins via a data aggregator are two or more times more likely to experience fraud, a result that was statistically significant at a 95% confidence interval.9 CBA's general manager of government, industry and sustainability described sharing usernames and passwords as "a fundamentally unsafe practice, both in the signals it sends about the importance of these credentials, as well as the storage of these credentials outside the bank's ecosystem."10
3. Third parties get ongoing, uncontrolled access to your account
Screen scrapers store your credentials and repeatedly access your bank account to fetch updated data. The Bank Policy Institute notes that "using pre-saved login credentials, screen scrapers will repeatedly access a consumer's bank accounts, sometimes without a consumer's knowledge, to obtain new and up-to-date data."11
The Financial Rights Legal Centre documented a case where a lender continued screen scraping a consumer's bank account over 9 months after the initial loan, and at least two and a half years after the consumer had ceased contact with the lender. The consumer had no idea the lender still had access.12
With Open Banking, you can see exactly who has access to your data, what data they can access, and revoke that access at any time through your bank's consent dashboard.
4. Your credentials may not be stored securely
There are no set standards for how screen scrapers must store the banking credentials you provide. Axway has noted that "passwords customers share may be stored in plain text, making them more vulnerable to hacker attacks."13 Storing millions of banking credentials in one place creates an attractive target -- a single breach could expose login details for every customer of the service.
Open Banking sidesteps this problem completely. There are no stored passwords -- only cryptographically signed OAuth tokens that cannot be used to log into your bank.
5. It violates your bank's terms and conditions
Every major Australian bank's terms and conditions prohibit sharing login credentials with third parties.14 CommBank has a dedicated page warning customers that providers asking for internet banking credentials may be screen scraping, and recommending accredited Open Banking providers instead.15
Consumer advocates have pointed out that screen scraping "literally flies in the face of established electronic security norms that banks demand from their customers"16 -- the same banks that spent years telling customers never to share their login details now have their customers doing exactly that through services like Budget Feeder.
6. The Australian Government has called it "fundamentally unsafe"
In August 2024, Assistant Treasurer Stephen Jones described screen scraping as "fundamentally unsafe" and asked Treasury to advise on "a way forward for a full and formal ban of screen scraping."17 Jones stated: "If businesses continue to ask consumers to share their bank passwords, putting them in harm's way, it is only a matter of time before it has a severe consequence."18
Treasury published a formal discussion paper on screen scraping in August 2023, receiving 44 submissions from organisations including the OAIC, ACCC, Law Council of Australia, and Financial Rights Legal Centre.19 The statutory review of the Consumer Data Right had already recommended that screen scraping be banned where CDR is a viable alternative.20
7. The EU has already banned screen scraping
The European Banking Authority banned screen scraping under PSD2's Regulatory Technical Standards on strong customer authentication. The prohibition was enacted via Commission Delegated Regulation (EU) 2018/389 and became enforceable on 14 September 2019.21 Banks are required to provide dedicated APIs for third-party access. Australia appears to be heading in the same direction.
8. The industry has already moved on
Frollo, Australia's most popular money management app, disabled screen scraping for the Big Four banks by August 2022. At the time, more than 8 out of 10 new accounts linked in the Frollo app were using Open Banking.22 Frollo's data quality analysis found that CDR data was significantly better: 14% irrelevant words in CDR transaction descriptions vs 34% in screen-scraped data, and users re-categorised screen-scraped transactions 30% more often.23
9. MFA is actively breaking screen scraping
In March 2025, CommBank introduced mandatory multi-factor authentication for all NetBank logins.24 This is a practical problem for screen scraping: illion's bots can't approve an MFA prompt on your phone. Other major banks are expected to follow. Each MFA rollout degrades the reliability of screen scraping further, moving toward a point where the approach simply stops working.
Open Banking authentication is designed around MFA from the start. You authenticate once with your bank when setting up consent, and subsequent data access uses secure tokens that don't require repeated logins.
Side-by-side comparison
| Redbark | Budget Feeder | |
|---|---|---|
| Data access method | Open Banking (CDR) via Fiskil | Screen scraping via illion |
| Banking credentials | Never shared with anyone but your bank | Shared with illion to log in on your behalf |
| Regulatory framework | CDR-regulated, ACCC-accredited intermediary | No regulatory framework; potential government ban pending |
| Consent management | Visible in your bank's consent dashboard, revocable any time | "Limited Power of Attorney"; no bank-side visibility or controls |
| ePayments Code protections | Preserved | Potentially voided by credential sharing |
| MFA compatibility | Designed around it | Broken by it |
| Data scope | Limited to consented data types | Full read access to everything visible in internet banking |
| Credential storage risk | No credentials stored (OAuth tokens only) | illion stores your login credentials |
| Destinations | YNAB, Google Sheets, Actual Budget, Webhooks, Notion | YNAB only |
The bottom line
Budget Feeder and Redbark look similar on the surface: connect your bank, see transactions in YNAB. But the mechanism underneath is the difference between handing someone a copy of your house key and letting them look through a specific window you've opened for them.
The Australian Government has called screen scraping fundamentally unsafe. CBA has linked it to doubled fraud rates. The EU has already banned it. Frollo and other major Australian fintechs have dropped it. MFA rollouts are actively breaking it.
Redbark uses the system that was built to replace screen scraping: the Consumer Data Right. Your credentials stay with your bank, your consent is visible and revocable, and your fraud protections stay intact.
References
1. BudgetFeeder Security Page -- Budget Feeder describes illion Open Data Solutions as their data provider. illion Treasury Submission (2024) -- illion describes their screen scraping methodology.
3. Budget Feeder: How does use of Budget Feeder comply with my bank's terms
4. Fiskil Becomes an Accredited Data Recipient. See also Australian FinTech: NAB, Fiskil, Zepto Become Accredited Data Recipients.
5. Fiskil: Consent and CDR. See also ACCC CDR Accreditation Guidelines.
6. ePayments Code (ASIC, 2022) -- Clause 12.2 on passcode disclosure obligations.
7. BSM Law: ePayments Code May Prevent Scams. See also Dunham Shaw: Voluntary Disclosures and the ePayments Code.
8. Treasury Discussion Paper: Screen Scraping -- Policy and Regulatory Implications (August 2023)
9. iTnews: CBA reveals screen scrapers double its customer fraud propensity
10. InnovationAus: Fintech screen scraping scrap heats up
11. Bank Policy Institute: Screen Scraping -- What Is It and How Does It Work?
12. Financial Rights Legal Centre & Consumer Action Law Centre: Joint Submission to Treasury on Screen Scraping (2023). See also iTnews: Government warned screen scrapers being used to push predatory loans.
13. Axway: Goodbye Screen Scraping, Hello Open Banking
14. Skwad: Is It Safe To Connect Your Bank Account To Budgeting Apps?. See also Treasury Discussion Paper (2023).
15. CommBank: Risks of sharing your password with a third party app or service
16. iTnews: ACCC sides with banks in screen scraping warning war
17. Ashurst: Resetting Australia's Consumer Data Right. See also Treasury Ministers Media Release (9 August 2024).
18. Broker Daily: Axing screen scraping under review: Treasury. See also InnovationAus: The world has moved on: Screen scraping regulation looms.
19. Treasury Consultation: Screen Scraping -- Policy and Regulatory Implications
20. SmartCompany: Consumer Data Right review calls for screen scraper ban
21. Pinsent Masons: Screen scraping ban under PSD2 on security grounds, EBA confirms. See also EUR-Lex: Commission Delegated Regulation (EU) 2018/389.
22. FinTech Australia: Australia's most popular money management app phases out screen scraping in favour of Open Banking. See also Frollo Blog: Phasing Out Screen Scraping.
23. Open Banking Expo: Frollo -- Screen scraping doesn't come close to Open Banking data quality
24. CommBank Newsroom: CommBank strengthens online security (March 2025). See also Fiskil Blog: MFA and the End of Screen Scraping.