18 August 2017
visit www.avoka.com

European banks lobby Commission to push ahead with screen scraping ban

16 May 2017  |  10564 views  |  6 EU building, Brussels

European banks say that privacy of client data, cybersecurity and innovation are at risk should the European Commission bow to the demands of fintech firms and backtrack on plans to ban screen-scraping under the revised Payment Services Directive, PSD2.

Earlier this month, sixty organisations representing a broad cross-section of fintech businesses across Europe joined forces to protest against new rules by the European Banking Authority that would ban screen scraping of customer data from online banking interfaces.

While PSD2 is intended to spur competition and innovation by opening up access to customer data, fintech businesses fear the reforms will provide banks with the means to control what data is shared, putting new entrants at a disadvantage.

The European Banking Federation has dismissed the objections, referring to screen scraping as an inferior first-generation direct access technology that would be superseded by APIs empowering clients to decide for themselves which data can be accessed by third parties.

The BF has produced a jaunty video to support its case.

The Federation's intervention comes amid fears among banks that the European Commission appears willing to reject the EBA advice and may let screen-scraping continue, forcing banks to maintain at least two interfaces and making it more difficult to protect the privacy of account holders.

Wim Mijs, chief executive officer of the EBF, states: “The development of PSD2 can be compared to designing a new plane. You develop highly secure, innovative and sophisticated systems to make it fly. But what happens now, in the final development stages, is that the designers are required to put a heavy diesel generator on board. This plane then becomes too heavy to fly. If banks are forced to accept screen-scraping then PSD2 will never fly the way it was intended.”

Comments: (6)

Russell Bell
Russell Bell - Fastbase Ltd - Wellington | 17 May, 2017, 03:09

Screen-scraping is hardly the technology of choice for a third party, it's a right pain.  But it's better than a bad API or an API that doesn't exist. Screen-scraping at least sets the low bar.  Why outlaw it ?  Only anti-competitive reasons I can see.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 May, 2017, 13:36

Let fintech allow banks to screen scrape fintech apps. Then banks won't protest fintech's demand to screen scrape banking apps. On a side note, who is responsible for leakage / loss of customer data during a screen scraped session used by a third party (vs. customer)? In fact, is it even technologically possible to determine whether a screen-scraped session is used by first party (i.e. customer) or third party (i.e. fintech / bank)?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Arturo González Mac Dowell
Arturo González Mac Dowell - Eurobits Technologies - Madrid | 17 May, 2017, 17:07

The objective of PSD2 is to promote competition and transparency in financial services across the EU, following the guiding principles of business model and technology neutrality and promoting a level playing field.

It would be the first time in history that competition is promoted by banning the way new entrants in a market do business. It would also not be business and technology neutral to ban a specific technology. In addition according to European law a level 2 legal text cannot ammend a level 1 text, which is what the last EBA draft was doing.

@ketharam according to PSD2 TPPs have to identify themselves towards the banks with an electronic certificate. It is a piece of cake for banks to setup mutual certificate authentication. Regarding identification of a screen scrapping session, it is relatively easy if it is done in large numbers.

@Russell I agree good APIs are better than screen scrapping. The only way to have good APIs is via competition with screen scrapping, otherwise the incentive is not there.

3 thumb ups! 3 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 May, 2017, 17:17

@ArturoGonzálezMacDowell:

Very well then, fintech should setup "mutual certificate authentication" for banks, allow banks to screen scrape fintech apps, show banks how easy it is to identify banks accessing each screen-scraped session. Since fintech prides itself on agility vis-a-vis banks, fintech should be able to do all this in no time, thereby not threatening PSD2 timescales.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ralf Ohlhausen
Ralf Ohlhausen - PPRO Financial Ltd - London | 19 May, 2017, 16:38

Banks are already screen scraping themselves and others - heavily! If the RTS is amended accordingly, they will be able to continue, including PSD2-licensed fintechs that qualify as an ASPSP.

This video is not jaunty, but scandalous. Portraying soon-to-be-licensed fintechs as cybercriminals is a disgrace. And it is confusing screen scraping with impersonation, and actually calling to ban that, which no one is contesting. That is beating a dead horse.

What they forget to say is that it is the banks themselves that do not want to allow fintechs to identify themselves when using their customer-facing online banking interface, because that is the only way they can refuse their access - according to the latest RTS draft.

This is what really has to change to stop impersonation and limit Direct Access to licensed, supervised and audited fintechs only - and keep the criminals away!

1 thumb up! 1 thumb up! (Log in to thumb up)
Arjeh Van Oijen
Arjeh Van Oijen - IBM GBS - Amsterdam | 30 May, 2017, 17:00

Many banks in Europe already use a 2-factor authentication and if not, need to have it implemented when RTS comes into force. This makes screen scraping a very (end-)user unfriendly exercise. It is not possible anymore to leave a userid/password with TPP as 2FA requires an action from the end-user with a specific device that only the end-user has access to. This means that each time a payment is initiated or account info is retrieved through screen scraping an action by the end user is required. And this is different per bank. I can't imagine why Fintechs want this and how this is going to differentiate them from the banks.

The (final draft) RTS states that the APIs of the banks need to match the functionality and service levels that the banks offer to the end user via their own channels. With this the APIs should at least give Fintechs the same level of access as screen scraping does. This makes me wonder why Fintechs believe that they are better of with screen scraping than with APIs.

The question may be raised what authority will be assigned to take what measures if a bank does not meet that RTS rule. Possibly this is defined in the transition of PSD2 into the local jurisdiction of the concerning countries. The discussion could be closed if everything was not left that much in the open, but the APIs that banks must implement are clearly specified, as is the case with a comparable initiative in India, UPI.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Fintech coalition formed to fight EBA plans to outlaw screen scraping

Fintech coalition formed to fight EBA plans to outlaw screen scraping

05 May 2017  |  9932 views  |  5 comments | 30 tweets | 23 linkedin
Nordea readies for PSD2 with Open Banking API site

Nordea readies for PSD2 with Open Banking API site

01 March 2017  |  18910 views  |  2 comments | 33 tweets | 55 linkedin
EBA to relax controversial PSD2 authentication rules

EBA to relax controversial PSD2 authentication rules

21 February 2017  |  20704 views  |  8 comments | 56 tweets | 77 linkedin
EBA bends under weight of PSD2 mandates

EBA bends under weight of PSD2 mandates

07 December 2016  |  14916 views  |  2 comments | 39 tweets | 55 linkedin
PSD2 a golden opportunity for banks – new Finextra paper

PSD2 a golden opportunity for banks – new Finextra paper

29 September 2016  |  15882 views  |  0 comments | 31 tweets | 30 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
download the paper nowvisit www.worldpaymentsreport.comvisit www.dorsum.eu

Top topics

Most viewed Most shared
Monzo appoints Curve co-founder Foster-Carter COOMonzo appoints Curve co-founder Foster-Car...
8644 views comments | 1 tweets | 3 linkedin
Norwegian banks and startups form fintech clusterNorwegian banks and startups form fintech...
7024 views comments | 18 tweets | 22 linkedin
Mobile contactless spending accelerating in UKMobile contactless spending accelerating i...
6569 views comments | 20 tweets | 22 linkedin
hands typing furiouslyWhy Blockchain Might Not Be The Future For...
5820 views 1 | 5 tweets | 3 linkedin

Featured job

Find your next job