The hottest debate bubbling up in the payments industry is the debate on how the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication should best address access to customer bank accounts for Account Information Services (AIS) and Payment Initiation Services (PIS). This debate is perceived as being between the banking sector on the one hand and a subsection of the Fintech industry on the other. In fact, multiple actors share the banking sector point of view.
Banking industry voices have argued that access to customer bank accounts should be supported by dedicated interfaces, and that access via practices such as screen scraping should be prohibited. This stance of the banks has been supported since the beginning by the European Banking Authority, the competent authority for the development of the draft Regulatory Technical Standards. As per their mandate, EBA has delivered the draft RTS, and the European Commission has proposed to make some amendments to the draft RTS. The most significant proposed change is the introduction of a fall-back option in case the dedicated interface is not working properly – and this fall-back option should be based on the customer interface, which basically means falling back to an upgraded form of screen-scraping. EBA has reacted via an opinion on this proposed amendment, basically reiterating their position against screen scraping. It is now up to the Commission to come up with a final text.
The European banking sector has, since the inception of PSD2, advocated against the practice of screen scraping. The industry sees screen scraping as the wrong answer to consumer privacy and security, and it is jeopardizing innovation, certainty, level-playing field, and proportionality.
As even admitted by the European Commission, the use of screen scraping triggers, in particular, data protection risks. Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) would continue to access all online banking data of the customer, and view the very same data that the customer is able to view when accessing the online banking site himself. This access goes much further than the data that AISPs and PISPs actually need for their services. More importantly, the access generally goes beyond what the customer thinks he has agreed to when making use of the AISP and PISP services.
In fact, this means that Third-Party Providers (TPPs) will have access to all data that visible to the customer when the he accesses his internet banking application. Data can be collected on a laundry list of accounts such as: current and savings accounts, insurance, loans or mortgages taken out, investment and credit card accounts, joint current accounts and accounts on which the customer has a mandate – think of accounts of children, parents, companies, associations and related products – pension accounts and all their related balances. Contrary to what data protection rules would mandate, TPPs will have this access without the bank having had the opportunity to ask their customers for their consent and to check that it was given.
It open a can of worms when it comes to risk, which the PSD2 framework hope to contain. The directive requires that banks put in place a communication channel that allows AISPs and PISPs to access the data that they need in accordance with PSD2, and that requires banks and AISPs and PISPs to identify themselves when accessing these data.
However, by introducing the fall back option (or “spare wheel option” as the Commission calls it), the European Commission gives rise again to their own concerns. The fall back option can be considered the same as mandating that a secure vault needs to be equipped with an easy to open security door for cases that the secure front door is not working properly. In addition to this the easy access door is highly expensive to install and maintain and will duplicate the access cost for the vault owner. It goes without saying that this is not acceptable and that this is in fact one step back.
Also, the unintended side effect of the fall-back option is that consumers will get used to sharing their credentials with third parties, a bad habit to develop in a world where cybercriminals target consumers to snatch their credentials. This will put customers at significant risk and will make them more vulnerable to fraud from potentially fraudulent actors.
The banking industry is not alone in advocating this position. Consumer organisation BEUC also has taken a strong position against screen scraping. In their letter to the European Commission, BEUC states that “we are against what is now denominated as ‘screen scraping’. The consumer would have to give the third party their security credentials while the third party would have access to data which is not necessary for the service it is providing. On this point, we share the concerns of the banking sector. In the explanatory document of the draft RTS published on 23 February, EBA states that ‘screen scraping’ should not be allowed”. Consumers and the industry share the same position, policymakers should listen and act.
Not surprisingly, the EBA is also strongly opposed to the fall-back solution as proposed by the Commission on multiple fronts as stated in their latest opinion : The fall-back solution “increases cost, fragmentation compromising the development of APIs, provides a competitive disadvantage to new entrants, a lack of improved technical reliability, incompatibility with PSD2’s security requirements, supervisory constraints, and unclear consumer understanding and consent”.
The way forward is clear. Use dedicated interfaces using standard market practices based on Application Programming Interfaces (APIs). APIs are already widely used by all internet actors like Amazon, Google, Facebook as they allow computers to talk to each other without any barrier. Access to payment accounts, as foreseen by the PSD2, will be no exception, as APIs are based on open standards, open to all actors without discrimination and are recognised as the safest environment to date.
Despite the possibility of using APIs, debate swirls. Some actors, claiming to represent the whole Fintech sector, still argue in favour of screen scraping,. If we take a closer look, however, the Fintech sector seems to be a house divided. On the one hand there are the ”new” Fintech companies who call for a “fair” level playing field, backing modern technologies such as APIs, as that will facilitate their market entrance. Then there are the not-so-new ”legacy” Fintech companies, whose businesses are based on old fashioned technologies such as screen scraping. Unfortunately the latter group seems to plead their case louder than the former.
In order to take the concerns of incumbent TPPs into account and ensure their business continuity, the EBA, together with all national central banks, has, in its recent opinion , proposed a couple or requirements that banks should comply with. There is a requirement for banks to define transparent key performance indicators that banks should abide by, and these should at least have the same service level targets as for the customer interface, namely availability and quality. There is also a requirement for banks to monitor and publish their availability and performance data on a quarterly basis. A requirement is placed to make the interfaces available for testing at least three months before the entry into force of the RTS; and there is a review of the functioning of the interfaces as part of the review planned for 18 months after the application of the RTS to ensure information access and sharing works as intended.
Banks are already directly and indirectly elbows deep in standardisation work to come to an open, common and harmonised European API standard to enable TPPs to access bank accounts. For example, the Berlin Group announced the creation of such a standard, in preparation for consultation with the market in Q3 2017. The aim of the Initiative is to support TPPs in delivering innovative solutions to customers, using modern APIs, which permit access to bank accounts while keeping data safe. In a unique partnership, participants in in the Berlin Group are working together with the common vision that open and harmonised interface standards for processes, data and infrastructures are the necessary building blocks of an open, interoperable market.
Even if the additional requirements as proposed by the EBA creates significantly more burden on banks, the banking industry would be willing to back them as it would mean a clear choice in favour of APIs, which they see the best path forward to ensure fair competition between incumbent and new TPPs. The requirements would also offer a secure environment and empower consumers to decide the amount of data they are ready to share with anyone, in line with the provisions of the GDPR.
Imposing an upgraded form of screen scraping contradicts all of these objectives and should be rejected. By rejecting it, consumers would be better protected, innovation would be on better footing and security would have less fraught That is why those in the banking industry, with the support of consumer organisations and new Fintech incumbents, call upon the policymakers to go along the lines as proposed by EBA in its latest opinion. Stay away from the fall-back solution ‘Legacy’ Fintech companies must start to understand that the Stone Age didn’t end because the world was running out of stones. It was just time to move on.
It’s time for ‘legacy’ Fintech firms need to leave their caves and start adopting modern technology.