PSD2 and EBA Update: The Good News and The Bad

I welcome the banning of screen scraping. It is inherently insecure technically, and it makes phishing attacks more likely by encouraging users to enter banking credentials into non-bank websites. The argument that there will be a problem "before these new interfaces are ready" is spurious. The new interfaces (APIs) have to be available from Jan 2018, and PSD2 Article 109 allows a 6 month transition period thereafter during which existing PSPs can continue screen-scraping while migrating to the new APIs.

The screen-scrapers' business model depends on free-riding on services that banks built and continue to pay for. There is a strong case that AISPs & PISPs should make a fair contribution to the costs of building and maintaining those information and payment services. They should be grateful that the only requirement placed on them is to access those services in a controlled and secure manner.

I agree with Chris, the SCA related changes are good news, but banning screen scraping would definitely "stifle innovation" - big time, actually! Security wise, I can't see fundamental differences between direct and indirect access and the same applies to the free-riding argument. For the rest, let me re-post here what I commented earlier today to the article itself:

Driving competition into Financial Services by banning screen-scraping is like promoting electrical cars without allowing them on to public streets. Banks can always be a step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use. How naive can one be?

On the other side, I can easily imagine many banks not wanting to bear the cost and effort of duplicating their access channels and maintaining them to the same performance level.

Allowing both direct and indirect access is a win-win, because banks are not forced into unnecessary API investments, but those who do are motivated to really keep it at par with the direct access offered to their own clients. Or – dare I say – make it even better, because that is the secret of companies who managed to build a whole ecosystem around them!

Ralf, I don't follow your logic regarding free riding. If a company invests in new wires, powerlines, and rail tracks, do you think they should then be forced to allow other companies to use them free of charge? What would be the incentive to build them? That's not the way the market works!

Your example of public streets is misleading - streets are funded from the public purse, for the public good. If a private company funds the building of a road from its own pocket, of course it has a right to charge a toll for usage.

Regarding security, when I access Internet Banking direct from my browser, the data (including my security credentials) are encrypted end-to-end. When a screen-scraper is used, it introduces a break in encryption between my browser and the bank, presenting a new attack vector for hackers.

IMO, fintechs - AISPs and PISPs in EBA parlance - are wasting their time over PSD2. If they focused on delivering a strong value proposition for their alternative products / services - instead of telling customers to skip that $5 coffee - customers will hand them their banking creds without blinking an eyelid.

Innovative Fintechs Don’t Need No PSD2 Regulation

If they're not convinced with this logic, let's see how they'd react to a two-sided regulation where banks - ASPSPs - should get fintechs' customer info. Like I pointed out on Instead Of Open Banking Should Industry Push For Open Everything?, if customers have the right to have their fintechs analyze their banking transaction data, they equally well have the right to have their banks analyze their fintech transaction data.

Naturally, each party must pay for what it accesses from the other party.

On another note, if screen scraping happens without identification, *whose* screen-scraped info is piped into *my* PFM account?

@Tom - rightly or wrongly, PSD2 forces banks to provide XS2A free of charge, no matter if direct or indirect. Forcing them to invest into an additional indirect (API) access possibility by denying the use of their existing direct (online banking) access makes it more costly to them. If they provide a great API, this investment may pay back. If they provide a bad one, it's a lose-lose for both sides of it. I think it is naive to believe that an RTS can force them to provide a "good one". That is impossible to measure and enforce, and naturally, banks will try to minimise their cost of compliance, unless they really see this as an opportunity, which only a few seem to do. The better way is to allow direct access and give banks the choice of a) do nothing and save their money or b) create a fantastic API and ecosystem around them.

The Goods and The Bads have been nicely narrated by Chris. The Updates definitely plays a crucial role in psd2 and eba. Thanks for sharing, Chris. 

@Tom, @Ralf, If there's an API and screen scraping for account information, developers will take the API every time.  Screen scraping is horribly brittle and really nobody wants to do is that doesn't have to.  Fine if it is also banned but the ban is superfluous IMO.  

Now, rules aside, charging for API use is in all but a few cases a really bad idea, and will likely kill adoption for any bank that goes that route.  Savvy banks will be thinking about how to build both all their 1st party experiences on their APIs as well as built an ecosystem of 3rd party experiences on those same APIs.  Some of the most successful API programs I know of have figured out how to align business models to even pay developers to use their APIs.