PSD2 and screen-scraping – both sides of the debate

Financial institutions and fintech firms across Europe are currently preparing for the launch of the second iteration of the Payment Services Directive (PSD2), which is due to come into force in January 2018. One of the key aims of PSD2 is to stimulate competition in the payments industry, partly by allowing authorized third parties to access banks’ customer data, as long as the customer has given his or her consent.

One of the big debates that has emerged in the build-up to PSD2 surrounds ‘screen-scraping’. European banks have argued that this practice, if it is allowed to continue under PSD2, could pose a risk to data privacy, cybersecurity and innovation.

Fintechs, however, have insisted that screen-scraping is a well-established methodology that functions effectively and provides a platform for third-party providers (TPPs) to compete with banks.

What is screen-scraping?

Screen-scraping refers to the practice of machine-reading screen display data from one application and translating it for display on another. It has been used, legally, across various industries for a number of years.

An example of how this process could work in the financial services industry is a third-party app that, upon receiving the customer’s consent, uses screen-scraping – or ‘direct access’, as fintechs prefer to call it – to acquire that person’s bank account information in order to complete a transaction.

Requiring banks to share data with TPPs is one of the key aspects of PSD2, but there is much debate around whether screen-scraping is the best way to do it. Application programming interfaces (APIs) enable data-sharing, but it has been argued that relying solely on APIs puts too much power in the hands of the banks.

If screen-scraping is banned, it could have a big impact on many fintech firms and how they do business.

What do the banks say?

The European Banking Federation (EBF) – a coalition of 32 national banking associations from across Europe – has called on the European Commission to uphold a recommendation from the European Banking Authority (EBA) to effectively ban screen-scraping, which it argues puts data privacy, cybersecurity and innovation at risk.

According to the EBF, screen-scraping makes it possible for third parties to access bank accounts by “impersonating” the customer. It argues that this raises issues from a customer protection standpoint, partly because it could be possible for the third party to access all of an individual’s sensitive financial data, not just that required for one particular transaction.

There is also the question of who accepts liability if something goes wrong with the transaction, especially as screen-scraping often requires the consumer to pass on their standard sign-on credentials, leading to potentially major ramifications if they end up in the wrong hands.

Essentially, the EBF’s position is that screen-scraping is an outdated, first-generation technology that should be replaced by APIs, which it sees as a more secure way of enabling direct access to customer data for third parties.

The banking industry group raised concerns that the European Commission “appears to be willing to go against the EBA advice and may let screen-scraping continue”.

Wim Mijs, chief executive officer of the EBF, said: “The development of PSD2 can be compared to designing a new plane. You develop highly secure, innovative and sophisticated systems to make it fly. But what happens now, in the final development stages, is that the designers are required to put a heavy diesel generator on board. This plane then becomes too heavy to fly. If banks are forced to accept screen-scraping then PSD2 will never fly the way it was intended.”

What do fintechs say?

Dozens of organizations representing the European fintech sector recently came together to form a coalition with the express purpose of fighting the proposed screen-scraping ban.

The Future of European Fintech Alliance released a statement outlining its position and addressing some of the concerns raised by banking associations. It stated that screen-scraping is a “well-established and well-working technology” that European fintechs have been using for 15 years, facilitating hundreds of millions of payments and account aggregations at the request of consumers. It is believed that, during this time, there have been no instances of data leakage or compromised credentials.

Furthermore, the group stressed that there is no direct ban on screen-scraping. “The EBA explicitly accepted already that direct access is PSD2-compliant – i.e. banks are allowed to rely on their online banking websites for granting direct access to the bank account (using screen-scraping) in line with PSD2,” it said. “The debate therefore is not whether direct access is legal, but whether those banks, who don’t like it, should be allowed to block it.”

The Future of European Fintech Alliance made a number of other points, referring to issues including banks’ emphasis on “impersonation”. It noted that “no-one proposes to allow impersonation any more”, with the obligation for TPPs to identify themselves being accepted long ago.

So what can we take from all this?

In a recent article, American Banker pointed out that this complex, multifaceted issue can appear very different depending on the angle you are looking from.

As far as consumer protection is concerned, screen-scraping can raise the risk of phishing attacks, so it’s understandable that banks would want to have greater control over customer data through APIs.

On the issue of responsibility for fraud, Gareth Lodge, a senior analyst in Celent’s banking group, said: “It gets very murky, very quickly. APIs give much tighter control over flow of data.”

It’s possible that making a wholesale transition from screen-scraping to APIs could spur valuable innovation and technological development. Mr Lodge noted: “Banning screen-scraping would force banks to do things they should have done ten years ago. In the short term, [innovation] might lose out. Longer term, we should all benefit – including fintechs.”

However, the alternative take on this is that relying entirely on bank-owned APIs gives established institutions too much power. The Future of European Fintech Alliance argued that appointing banks to a “gatekeeper” role would be anti-competitive and damaging to innovation.

APIs may well be the way forward, but does this mean screen-scraping should be stopped altogether? Zach Perret, co-founder of Plaid, which builds APIs for banks, said banning screen-scraping is “like banning mail because email exists”.

Whatever position you take, one thing that’s absolutely clear is that the European Banking Authority’s final decision on this matter will have major ramifications for the financial services industry.

 

Image: iStock/HYWARDS

Written by Andy Brown

Andy Brown

Andy is marketing director for payments at NCR. He has nearly 30 years' experience in e-payment systems from the delivery and support of systems in the Far East and Europe, from both the product management and marketing perspectives. Based in the UK, Andy is responsible for marketing NCR payment solutions.

Read more articles from Andy Brown