The Screen Scrape Debate will not Abate
By Judith E. Rinearson, Rizwan Qayyum
The debate surrounding “screen-scraping” continues as Member States of the European Union are preparing for the impending Second Payment Services Directive (“PSD2”). Screen scraping is the practice in which third-party Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) are granted access to bank accounts of a client utilising their credentials to perform a service. As heralded in our discussion in July identifying the problem, the European Banking Authority (“EBA”) maintained their stance of outlawing the practice in the final draft Regulatory Technical Standards (“RTS”) on secure communication and Strong Customer Authentication (“SCA”). Consistent industry pressure has led the European Commission (“EC”) to request of the EBA to permit AISPs and PISPs to utilise screen scraping as a “fallback option”.
The Fast IDentity Online (“FIDO”) Alliance, a consortium of over 250 organisations collaborating and developing industry best practices in online authentication, recently wrote to the EC commenting on key issues suggesting that endorsing screen scraping as a “fallback” is problematic and not acceptable. The lead concern is one of security. PSD2 and the General Data Protection Regulations (“GDPR”) are consistent on their emphasis on security, and the very idea of permitting consumers to provide their credentials to a third-party is inconsistent with both PSD2 and the GDPR principles (GDPR is due to be implemented by Member States in May 2018). In addition, with the requirement of Application Programming Interfaces (“APIs”), allowing those third-parties the same access via the consumer’s bank; it is argued that this API proves to be the most efficient method of access.
Brett McDowell, executive director of the FIDO Alliance commented: “We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2…. Sharing passwords is simply a bad practice from a security perspective.”
FIDO proposes a solution of allowing banks to be provided more time to comply with the new regulations. It is expected a response, from the EBA, to this will come shortly. We will continue to monitor these developments.