Screen scraping works by duplicating the data of another website. In payments, clients provide their credentials to the third-party provider (TPP) that enables the latter to access their bank account on their behalf to complete online transactions. This enables funds to be withdrawn directly from accounts.
The EBA believes that screen scraping should no longer be permitted under PSD2. The European Commission has pushed for it to be allowed as a back-up method in case a bank’s systems fail.
|Jerry Norton, CGI|
Jerry Norton, vice-president, financial services, at banking services provider CGI, says: “Last week, the EBA made an announcement that they reject screen scraping and do not think it should be allowed as a fall-back option.
“The point is a very specific one in the EBA’s response to PSD2. They agree with the EC’s amendments to its regulatory technical standards (RTS), but there are difficulties with the number of contradictions.”
In its statement, the banking authority explains: “The EBA... is of the view that the suggested changes would negatively impact the fine trade-off previously found by the EBA in achieving the various competing objectives of the PSD2.”
While it is ultimately down to the EC to decide, the EBA is unhappy that its guidance was overlooked when the EC pushed for the fall-back option to be permitted.
PSD2 aims to increase competition in the industry and make banking more secure for the customer, while offering greater control over personal data. The issue screen scraping has become a tug of war between the EC and the EBA, which take different viewpoints on the security of and need for screen scraping. While the EC is backing the fintech community and calling for it to continue, the EBA is taking the opposite view, arguing that it could compromise data security.
Norton says: “Screen scraping was positioned as an alternative fall back-option should the bank not meet its PSD2 obligations, did not have the open API technology, or if the API fails.”
There are already a number of companies operating internationally that use screen scraping. These fintechs have been vocal about their objection to the EBA’s decisions, and a group of 72 companies has been working together as the European Fintech Alliance to register their opposition. The group has the support of the EC.
“This means that fintechs have to trust that 6,000 banks will develop and provide working APIs to their ‘competitors’. I am deeply concerned that these APIs could be misused to obstruct and limit the service of fintechs. There needs to be a discussion around it soon or it is going to be forbidden.”
Schardt says that the way the directive is being created places too much power over the use of data into the hands of banks, when it should be with consumers: “Banks have too much of a gatekeeper role of the information. The data belongs to the customer and not to the bank, yet they are making the decisions on how it is being used.”
Even if there is an agreement, Schardt is concerned about the potential quality of the application programming interface (API) platforms that are installed by the banks and how the fintechs will be able to access them: “In building the open APIs, there needs to be some consistency or quality of use; at present there is none.”
He adds that enforcing the directive would give banks a lot of power over their competitors: “With the current proposal, fintechs would be technologically dependent on each individual bank. Banks would thus get the power over the development of the fintech industry.”
Norton says there is a stand-off between the two organisations, especially after the EBA decided to reject the suggestions of the EC: “There hasn’t been a compromise offered so far. The EBA has proposed an alternative approach to the RTS, which it feels would enable the EC’s objectives to be met. There may have to be some level of compromise as PSD2 is set to go live in six months.”
There are also further complications on which parties are backing the ban. In general, banks are against the changes. There are, however, some exceptions to this because of the cost of updating internal systems. Norton says: “Some banks take a different view, however. There are some that embrace the push for change. Others are wary of the amount of time and expense it will take to update their systems to open APIs.”
A final decision by the EC could be far-reaching. Beyond screen scraping, PSD2 would also overrule how banks in the UK in particular operate. Norton explains: “The step will overrule many bank terms and conditions in the UK, which state that a customer should not share their credentials. The EC legislation would overrule that and it would make including this clause illegal. This is despite the banks arguing that screen scraping is not secure.”
Schardt welcomes the idea of third-party providers having to identify themselves to the bank to prove they are legitimate companies. This is applicable both ways, he says, whether it is a customer-facing interface with screen scraping or a dedicated interface with an API. It means screen scraping with identification can continue and is fully PSD-compliant.
He says: “The process should be allowed to continue as it has been for a number of years with additional elements of authentication. TPPs will be identifying themselves and having a certificate of proof that they are a legitimate, recognized and licensed company.”
Schardt says it is possible there will be more movement in the coming weeks; an agreement needs to be finalized by September so that PSD2 can go ahead in January 2018 as scheduled: “The decision needs to be made sooner rather than later. They cannot decide level two of the regulation is in contradiction to level one. For PSD2 to still go ahead on time they need to work on an agreement.
“It is possible the EC will publish the final text on the RTS before the summer break.”