The bank Vs FinTech screen scraping argument just got worse as the EBA (European Banking Authority) rejected an amendment to the Payment Services Directive (PSD2) proposed by the European Commission designed to allow the continuation of screen scraping.
The EBA voiced its discontent at the EC’s intention to tweak the EBA’s draft Regulatory Technical Standards (RTS). “The EBA … is of the view that the suggested changes would negatively impact the fine trade-off previously found by the EBA in achieving the various competing objectives of the PSD2.”
The EBA’s first draft report, published February 2017 after 18 months of intensive policy development work and consultation with the different payment market players, raised objections to the implementation of cumbersome customer authentication standards.
This RTS also set out to outlaw screen scraping in favour of bank-led access to client data under APIs. This means that banks can deny this type of “direct access” through their front door, if they are providing another “indirect access” possibility via their back door through APIs.
A coalition of 62 mature FinTechs claimed that the reforms will provide banks with the means to control what data is shared, putting new entrants at a disadvantage. To this, the EC responded by asking the EBA to hold screen scraping in reverse as a back-up mechanism in case bank interfaces fail to function properly. The European Banking Federation (EBF) had argued that privacy of client data, cybersecurity and innovation are all at risk if EBA standards are dismissed and screen scraping continues, and consequently asked the EC to support it.
Banks, on the other hand, claim that these changes don’t address the burden of compliance and may threaten the privacy of client data, cybersecurity and innovation. The EBA argued that such a proposal would “harm the development of electronic payment services” while hindering the protection of customer privacy.
In response, the regulator stated: “The EBA is of the view that imposing such a fallback requirement would go beyond the legal mandate given to the EBA under Article 97 PSD2. The EBA is also sceptical about the extent to which the proposed amendment would achieve the desired objectives and efficiently address market concerns. Indeed, the EBA has identified a number of risks that would arise were PSPs to implement the Commission’s proposal.”
The result of this back and forth is a compromise, in which rigorous checks and balances on bank APIs would be carried out, alongside checking minimum performance and availability standards, lifting the burden of providing a screen-scraping fall back from compliant banks.