European banks lobby Commission to push ahead with screen scraping ban

European banks lobby Commission to push ahead with screen scraping ban

European banks say that privacy of client data, cybersecurity and innovation are at risk should the European Commission bow to the demands of fintech firms and backtrack on plans to ban screen-scraping under the revised Payment Services Directive, PSD2.

Earlier this month, sixty organisations representing a broad cross-section of fintech businesses across Europe joined forces to protest against new rules by the European Banking Authority that would ban screen scraping of customer data from online banking interfaces.

While PSD2 is intended to spur competition and innovation by opening up access to customer data, fintech businesses fear the reforms will provide banks with the means to control what data is shared, putting new entrants at a disadvantage.

The European Banking Federation has dismissed the objections, referring to screen scraping as an inferior first-generation direct access technology that would be superseded by APIs empowering clients to decide for themselves which data can be accessed by third parties.

The BF has produced a jaunty video to support its case.

The Federation's intervention comes amid fears among banks that the European Commission appears willing to reject the EBA advice and may let screen-scraping continue, forcing banks to maintain at least two interfaces and making it more difficult to protect the privacy of account holders.

Wim Mijs, chief executive officer of the EBF, states: “The development of PSD2 can be compared to designing a new plane. You develop highly secure, innovative and sophisticated systems to make it fly. But what happens now, in the final development stages, is that the designers are required to put a heavy diesel generator on board. This plane then becomes too heavy to fly. If banks are forced to accept screen-scraping then PSD2 will never fly the way it was intended.”

Comments: (6)

Russell Bell
Russell Bell - Fastbase Ltd - Wellington 17 May, 2017, 03:09Be the first to give this comment the thumbs up 0 likes

Screen-scraping is hardly the technology of choice for a third party, it's a right pain.  But it's better than a bad API or an API that doesn't exist. Screen-scraping at least sets the low bar.  Why outlaw it ?  Only anti-competitive reasons I can see.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 May, 2017, 13:36Be the first to give this comment the thumbs up 0 likes

Let fintech allow banks to screen scrape fintech apps. Then banks won't protest fintech's demand to screen scrape banking apps. On a side note, who is responsible for leakage / loss of customer data during a screen scraped session used by a third party (vs. customer)? In fact, is it even technologically possible to determine whether a screen-scraped session is used by first party (i.e. customer) or third party (i.e. fintech / bank)?

A Finextra member
A Finextra member 17 May, 2017, 17:073 likes 3 likes

The objective of PSD2 is to promote competition and transparency in financial services across the EU, following the guiding principles of business model and technology neutrality and promoting a level playing field.

It would be the first time in history that competition is promoted by banning the way new entrants in a market do business. It would also not be business and technology neutral to ban a specific technology. In addition according to European law a level 2 legal text cannot ammend a level 1 text, which is what the last EBA draft was doing.

@ketharam according to PSD2 TPPs have to identify themselves towards the banks with an electronic certificate. It is a piece of cake for banks to setup mutual certificate authentication. Regarding identification of a screen scrapping session, it is relatively easy if it is done in large numbers.

@Russell I agree good APIs are better than screen scrapping. The only way to have good APIs is via competition with screen scrapping, otherwise the incentive is not there.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 May, 2017, 17:17Be the first to give this comment the thumbs up 0 likes


Very well then, fintech should setup "mutual certificate authentication" for banks, allow banks to screen scrape fintech apps, show banks how easy it is to identify banks accessing each screen-scraped session. Since fintech prides itself on agility vis-a-vis banks, fintech should be able to do all this in no time, thereby not threatening PSD2 timescales.

Ralf Ohlhausen
Ralf Ohlhausen - Pay Practice - Stuttgart 19 May, 2017, 16:38Be the first to give this comment the thumbs up 0 likes

Banks are already screen scraping themselves and others - heavily! If the RTS is amended accordingly, they will be able to continue, including PSD2-licensed fintechs that qualify as an ASPSP.

This video is not jaunty, but scandalous. Portraying soon-to-be-licensed fintechs as cybercriminals is a disgrace. And it is confusing screen scraping with impersonation, and actually calling to ban that, which no one is contesting. That is beating a dead horse.

What they forget to say is that it is the banks themselves that do not want to allow fintechs to identify themselves when using their customer-facing online banking interface, because that is the only way they can refuse their access - according to the latest RTS draft.

This is what really has to change to stop impersonation and limit Direct Access to licensed, supervised and audited fintechs only - and keep the criminals away!

Arjeh Van Oijen
Arjeh Van Oijen - Icon Solutions - Amsterdam 30 May, 2017, 17:00Be the first to give this comment the thumbs up 0 likes

Many banks in Europe already use a 2-factor authentication and if not, need to have it implemented when RTS comes into force. This makes screen scraping a very (end-)user unfriendly exercise. It is not possible anymore to leave a userid/password with TPP as 2FA requires an action from the end-user with a specific device that only the end-user has access to. This means that each time a payment is initiated or account info is retrieved through screen scraping an action by the end user is required. And this is different per bank. I can't imagine why Fintechs want this and how this is going to differentiate them from the banks.

The (final draft) RTS states that the APIs of the banks need to match the functionality and service levels that the banks offer to the end user via their own channels. With this the APIs should at least give Fintechs the same level of access as screen scraping does. This makes me wonder why Fintechs believe that they are better of with screen scraping than with APIs.

The question may be raised what authority will be assigned to take what measures if a bank does not meet that RTS rule. Possibly this is defined in the transition of PSD2 into the local jurisdiction of the concerning countries. The discussion could be closed if everything was not left that much in the open, but the APIs that banks must implement are clearly specified, as is the case with a comparable initiative in India, UPI.