Screen scraping: in or out?
Amid last month’s extensive ransomware attack, made possible after cyber criminals stole hacking tools created by the US National Security Agency, the European Banking Federation (EBF) again urged the European Commission (EC) not to dismiss recommendations about screen scraping.
The EBF is concerned that the EU will ignore the advice of the European Banking Authority (EBA) to bring an end to the practice with the Payment Services Directive II (PSD2).
Around the same time, a group of 70 financial technology companies, banks and other payment services providers launched a campaign to defend screen scraping.
“The European Commission appears to be willing to go against the EBA advice and may let screen-scraping continue by requiring banks to accept screen-scraping as an additional mandatory direct access method, forcing banks to maintain at least two interfaces,” the EBF said in a statement.
“Banks are deeply concerned over this development and fear that such a choice would harm the development of electronic payment services. It would come at the expense of innovation in payment services and would make it more difficult to protect the privacy of account holders.”
Screen scraping has been hotly contested during the creation of PSD2. At the end of February, the EBA published its final draft regulatory technical standards (RTS). Within that document, it clarified the situation regarding screen scraping and the communication between account servicing payment service providers (ASPSPs), account information service providers and payment initiation service providers. The obligation for ASPSPs to offer at least one interface to access payment account information for the other two providers has been maintained. This is linked to the PSD2 no longer allowing the existing practice of third party access without identification (screen scraping) once the transition period has elapsed and the RTS applies.
The EBF argues that the privacy of client data, cybersecurity and innovation are put at risk if the EC does not fully endorse the EBA standards RTS standards.
PSD2 replaces screen scraping with two options for banks: a “dedicated interface” that gives third parties access to bank accounts on behalf of clients, or upgrades of client interfaces. The EBS says the two options ensure the continuation of direct access services in the EU in a secure way by empowering clients to decide for themselves which data can be accessed by third parties.
The EBF says the EBA standards are a common solution that ensures security and will act as a significant catalyst for innovation in the European payments market, fully compliant with the EU’s General Data Protection Regulation (GDPR).
Many in the banking industry argue that customers are trained to enter their online banking credentials into third party websites over which banks do not have adequate oversight. Banks want to know who is accessing their customers’ data. On the other hand, non-bank payment services providers, particularly financial technology companies, argue that the ban on screen scraping is a form of bank protectionism and that it will stifle innovation in payments.
Defending screen scraping is the group of 70 organisations, called Future of the European Fintech. It says it is “seeking fair regulation” of their services under PSD2…
This is an excerpt. The full article is available in the June 2017 edition of Banking Technology.