Yesterday November 27, the European Commission published the final version of the long awaited
PSD2 Regulatory Technical Standards on Secure Communications and Secure Customer Authentication. The SCA RTS was accompanied by a
press release and a
Memo which can be seen as a Q&A document.
One of the hottest topics that has been the subject of intensive lobbying on both the banking side and the fintech side has been that of the so called "screen scraping". In general terms, the banking side favored the banning of screen scraping on the basis
of security and costs. The fintech side favored the use of screen scraping as a safety net for situations where APIs don't function properly. If you are interested in the subject, I suggest you read the elevator vs staircase trilogy I wrote a while ago to
fully understand the subject. You can start
here. Alternatively, you can watch this
short video to understand the fintech side of the debate.
Bear in mind, that this is the first time an industry is forced to give free access to their customer's data to a potential competitor. In some cases it might be a win-win situation, but not necessarily, so there are plenty of reasons to
justify the positions of both sides. However, it is undeniable that there will be many situations where there will not be an adequate incentive to provide an industrial strength API service.
Now that the final SCA RTS is published, the debate is over. Well, it will be over if both the European Council and the European Parliament approve this final document, which I presume they will. Although I might be proven wrong.
And what does the SCA RTS says in this regards? I will use the Q&A document for this, as the answer is clear cut.
What data can TPPs access and use via "screen scraping"? According to the Commission, With these new rules, it will no longer be allowed to access the customer's data through the use of the techniques of "screen scraping". So,
it's game over for screen scraping in the context of PSD2.
At least, for screen scraping as we knew it. Because according to the Commission, Screen scraping means accessing the data through the customer interface with the use of the customer's security credentials. Through screen scraping, TPPs can access
customer data without any further identification vis-à-vis the banks. In other words, what
the RTS is preventing is access to customer data without proper identification of the third party towards the bank (the ASPSP in PSD2 terms) that holds the customer data. For those interested in the details, this is described in Article 32
"General obligations for access interfaces". So this is something that is required both for the dedicated interface (a.k.a. API) and for what was previously called direct access (also briefly called "the interfaces used for authentication and communication
with the account servicing payment service provider’s payment services users" a.k.a. electronic banking).
So, the RTS still gives the bank a choice of two interfaces; Implementing a dedicated interface/API, which is the best possible interface if it is well implemented and cared for, or implementing electronic banking with a TPP identification layer in front
In case a bank decides to go for the API route, it will also have to set an identification layer in front of the electronic banking (or share it with the identification layer of the API) which will then serve as a
fallback mechanism. What this means is that third parties will have to use the API if it exists, and if it works properly. In case it doesn't work properly, then the third parties will be able to access via electronic banking after identifying
themselves with a qualified certificate, using what was previously known as screen scraping.
There is however a possibility for banks to have an exemption from providing a fallback mechanism. National authorities will be able to provide such exemptions for those banks that during a 6 month period prove that their API's perform according
to a set of KPIs that are still to be defined by a mix of banks and fintechs. Of course this exemption can be retired if the API ceases to function properly for a period of time (2 weeks, according to the RTS).
Lastly, screen scraping will still be used for non PSD2 regulated information, such as deposits, loans, pension plans, shares, investment funds, etc. unless banks choose to offer an API that works better than screen scraping of electronic
banking, and, is either free or cheaper than screen scraping.
So the bottom line is, screen scraping is dead, long live screen scraping!