PSD2 and Screen Scraping: Adjusting to a New Reality

Posted January 22, 2018

PSD2 and Screen Scraping: Adjusting to a New Reality

Recently put into force throughout the European Union, the Revised Payment Services Directive 2 (PSD2) just might be the most disruptive payments law ever devised.

But, aside from launching a new era in open banking, PSD2 also takes on a controversial topic that has been a friend to FinTechs and a bane to established banking giants – screen scraping.

To Scrape or Not to Scrape

Screen scraping is a practice used by third-party providers to access user account information from HTML forms and used for their own purposes. It has already been the subject of heavy litigation in Europe, since the process was considered contrary to the banks’ general terms and conditions.

Under PSD2, it may also be moot. That’s because, while screen scraping is prohibited under the directive, banks are required to grant third parties access to customer data via specific, dedicated interfaces. While many FinTech companies are skeptical banks will provide high-quality access, by rule, these new dedicated interfaces must not be discriminatory, and any rejection of access must be justified.

The catch for FinTechs: Data provided via such interfaces can only be used by the third party in relation to the specific service at hand, i.e., payment initiation or account information. Also, third-party PSPs will now be regulated entities and need to comply with respective security requirements.

Even though PSD2 was put into force last week, the ban on screen scraping won’t go into effect until September 2019, according to a timetable provided by the European Commission. The delay is causing some consternation among member states trying to decide if they will enforce the ban immediately.

Case in point: the Polish Financial Supervision Authority (KNF), which recently published a statement about this delay. However, it fails to address whether screen scraping will be allowed in Poland during this time, as suggested by the EBA in its December opinion.

On the Brink

For a time, screen scraping seemed to be on the verge of getting a reprieve, as the European Commission proposed an amendment to allow the practice to continue.

The FIDO Alliance, the world’s largest ecosystem for standards-based, interoperable authentication, took issue with this, as it feels the process is unsecured.

Opponents of the process agree, claiming that screen scraping opens up risk to the customer who exposes a secret bank password to use another third-party service. While there are no known hacks related to screen scraping, the risks for fraud are mounting. And the data backs this up.

During the past few years, the rates of identity and account fraud as well as cybercrime have soared around the world. According to our Cybercrime Report 2017, there were more than 700 million global cyberattacks. More than one in nine new account creations in the Network is now fraudulent. And the number of account takeover attacks has grown 210 percent in three years.

But, screen scraping startups in Australia argue that the process is safe. They claim that the security assurance and accreditation processes by professional cloud-hosting providers, such as Amazon Web Services and Microsoft Azure, which are used by the scraping companies, are stronger than those of most individual financial institutions.

However, all of these arguments became moot when that proposal was rejected by the European Banking Authority this past June.

A New Normal

FinTechs might be worried about their ability to access customer information without screen scraping. But, they shouldn’t be. As we have seen countless times before, when a new technology first comes about, people are uncertain of it, as the vision on how this new technology will be adopted into everyday life is often missing. But, over time, those apprehensions diminish and a new reality is born.

In the end, FinTechs and others will incorporate this new reality into their daily existence, and this issue will fade into memory. So, instead of worrying about the inevitable, these newcomers should really focus their attention on the innovative services they’re delivering to appeal to today’s digital consumer—and befuddling the industry giants.

To learn more about what PSD2’s new phase means to your business, download our exclusive white paper – PSD2: Revolutionizing the Payments Landscape.

Alisdair Faulkner

Alisdair Faulkner

Chief Products Officer, ThreatMetrix

close btn