This month’s Interface is dedicated to the status of ‘screen scraping’ under PSD2. Is the EBA about to make a u-turn on the ban it included in the final draft RTS? It could be a hugely significant milestone in the EU’s ambitions for data-sharing and more generally for the development of API banking. Some say thats a mild understatement !
As it stands screen scraping will not be permitted under PSD2. The EBAs final draft RTS, published in February, made it clear that:
“the EBA interprets the security requirements under PSD2 as meaning that the TPPs will no longer be able to screen scrape” ….and that it “will no longer be allowed once the transition period under Article 115(4) PSD2 has elapsed and the RTS apply.”
The proposed ban has triggered open and extensive lobbying from both sides. The European Banking Federation (EBF) has formally requested the EU Commission to support a ban largely on the grounds that it doesn’t offer sufficient security. It has even released this video to support its argument.
“The EBF fears that the privacy of client data, cybersecurity and innovation are put at risk if the Commission does not fully endorse the EBA standards.”
The fintechs have counter argued publishing a strongly worded manifesto, signed by 65 European fintech firms, that clarifies their reasoning.
“However, if the RTS were adopted as they currently stand, then the mandatory use of newly developed, proprietary dedicated interfaces would inevitably give Banks (ASPSPs) full control regarding any future innovation on the financial services space. Each new functionality would have to be approved by each single Bank (ASPSP), which would lead to 3 fragmented markets at various levels.” and that “[T]he only functioning technology used for bank-independent [payment initiation services] and [account information services] must not be foreclosed.”
Now, three months since the EBA published its final draft RTS, the European Commission is starting to voice its opinion. The EU commissioner for financial services, Valdis Dombrovskis, called on the EBA to rethink its screen scraping ban. In a speech on European financial integration delivered in Brussels on 19th May, he called on the EBA not to ban screen scraping outright, but to hold it in reserve as a back-up mechanism should bank interfaces fail to function properly.
“We are developing a comprehensive strategy on financial technology, to foster innovation while ensuring a level playing field,” he said. “We will therefore ask the European Banking Authority to have another look at the draft standards for data interfaces, and at proposals to allow fintechs access to the customer facing interface, whenever the dedicated interface breaks down or is not performing properly. This would safeguard the continuity of access for fintechs, while still allowing banks to require fintechs to use dedicated interfaces in normal conditions.”
What this means is that if, for example, a given bank’s API is down or isn’t working properly, a TPP will be able to use screen scraping as an alternative. This is pretty much in line with what the fintech manifesto argues for.
There is a slight nuance however. In their manifesto, fintechs argue for ‘Secure Authenticated Direct Access’ which they define as screen scraping (referred to as Direct Access) together with an additional secure authentication layer which will allow banks to know which TPP is access their customers’ account via screen scraping and to see exactly what actions the TPP performs. Up to now, screen scraping has been an anonymous affair with 3rd parties basically using customer credentials to access their account. The bank has limited knowledge of whether the account is being accessed by their customer or by some 3rd party. (Some banks will monitor access to multiple accounts from the same IP address which is give away sign that it’s not a customer and then in some cases block the IP address).
Mr. Dombrovskis did not say whether the EU commission thinks this secure authentication layer should be a requirement or not. It clearly makes sense and should go some way to satisfying bank concerns about security of anonymous screen scraping. The extra secure authentication layer will enable banks to closely monitor all access via screen scraping. The assumption then is that anonymous screen scraping (i.e. with out secure authentication) will be banned.
The problem though, as the EBF points out, is that banks will then be faced with an incremental effort to develop this extra authentication layer and then to maintain and operate too. So to comply with PSD2, not only will they be expected to develop a dedicated interface (API) layer but will possibly also be expected to develop and support an entirely separate secure authentication layer for screen scraping. The end result will be maintaining two interfaces for 3rd party access. Does this make sense? Especially given the industry is bound – at least in the medium term – to receive an API makeover anyway.
Remember also in this scenario that screen scraping is a fall back option and only permitted “whenever the dedicated interface breaks down or is not performing properly” – implying that for banks that are strategically committed on building great APIs, they may still be required to develop a secure authentication layer for screen scraping as a back-up.
Of course, the alternative scenario would be to simply permit anonymous screen scraping as a fall back option. But this option does not appear likely.
It is not clear yet exactly what solution the EU Commission favours nor the position of the European Parliament that will ultimately take the decision. What is certain is that time is ticking on and that any review process by the EBA will further delay and extend the transition period from when PSD2 goes live in Jan 2018 until the RTS is applicable. The date for the latter will be 18 months after its entry into force which means we are most probably now looking late at Q1 2019 – at the earliest.