As the U.S. currently assesses the Financial Choice Act and other changes to its payments laws, it's helpful to consider the approach taken in Europe. There, European regulators, banks, and third-party payment providers are all in the midst of a struggle regarding access to data and screen scraping. Here is what's happening.
The European Commission proposed legislation known as the Payment Services Directive II (PSD2) in the summer of 2013. All member states are expected to have PSD2 implemented into national law by January 13 2018. PSD2’s main objectives are ensuring a stronger focus on consumer protection, a continuation of allowing safer payments, and encouraging a culture of innovation.
One result of PSD2 is that it will open the door for additional licensed non-bank entities in the EU, and it appears that these new entrants may have triggered a battle about screen scraping. Screen scraping is the process of collecting screen display data from one application and transferring it so that another application is able to display it. This process is used by non-bank third party service providers to access bank account data on behalf of a customer using that customer's access credentials. Essentially, customers will provide account login credentials to the third parties, who in turn will use the credentials to collect their customer's screen data (hence "screen scraping") regarding their financial activity. The third party service providers access the data using their customers’ identification, and therefore, do not have to provide their own identification to the banking or financial institution involved. This access to customer screen data is used to facilitate real-time payments, and provides the ability to offer new financial products and services.
Of course, screen-scraping is not the only method a third party can use to access customer account data. PSD2 also implements a process for allowing third parties to access customer financial information via an application program interface (API).
From both the banks' and the regulators' perspective, data access via an API is a far more preferable way to allow access to consumer financial data, rather than screen scraping. For one thing, it provides information to the banks/financial institutions as to who is accessing the data, when, and how. Given that under PSD2, account information service providers (AISPs) and payment initiation service providers (PISPs) are also subject to licensing and regulation, concerns about the use of screen scraping have increased.
To the surprise of many EU-based third party service providers, EU banks and regulators have suggested that upon implementation of PSD2, all screen scraping should be abolished. In February, the European Banking Authority (EBA), which was tasked with the job of establishing technical standards, released the final Regulatory Technical Standards (RTS) on secure communication and strong customer authentication. In the notes accompanying the RTS, the EBA seemed to indicate that the abolition of screen-scraping was already a done deal, and would no longer be permitted once PSD2’s transition period has elapsed:
“The EBA also reflected on a number of respondents expressing confusion and concern with regard to the communication between ASPSPs, AISPs and PISPs. Having assessed these comments, the EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs for access to payment account information. The EBA has done so having consulted with the European Commission on the interpretation of the Directive, in that the existing practice of third-party access without identification referred to by a few respondents as ‘screen scraping’ or, mistakenly, as ‘direct access’ will no longer be allowed once the transition period under Article 115(4) PSD2 has elapsed and the RTS apply.”
“After consulting with the Commission on the most plausible interpretation of the Directive, the EBA is of the view that accessing accounts through screen scraping will no longer be allowed, once the transitional period comes to an end, on the basis of a number of provisions under PSD2.”
Battle lines are being drawn. Leading Fintech firms argue that without the use of screen scraping, critical elements of the payment initiation business model will be negatively impacted, notably the guarantee that payments will be executed in real time. Some firms also point to Article 66 of PSD2, for support of screen scraping, which notes that banks must be in a position to “provide or make available….all information accessible to the bank regarding the execution of the payment transaction” and that the provision of this service cannot be “dependent on the existence of a contractual relationship.”
In May 2017, a coalition of 60 payment industry stakeholders published a manifesto urging authorities to abandon the proposed ban on screen scraping, arguing that it would give banks a competitive advantage and is contrary to the essence of PSD2's goals of enhancing competition, fostering innovation, and providing greater choice for consumers. The manifesto argues that by prohibiting screen-scraping, banks are effectively being positioned as “gatekeepers of the FinTech sector,” allowing the banks to dictate which companies will progress and to hamper new entrants in the market place.
On the other hand, the European Banking Federation (EBF), a banking lobbying organization, argues that APIs provide greater protection for consumers and that permitting screen scraping may have a negative impact on innovation with the payments industry.
Is there a middle ground? There may be. There is currently an industry effort, among banks and FinTechs, to actively engage in developing common processes and standards. In 2016, the UK’s Competition and Market Authority launched an “Open Banking” initiative to co-exist alongside the aims of PSD2 and to encourage banks to provide a secure platform for sharing data while at the same time providing an alternative direct access platform.
There is still significant uncertainty and conflicting goals as regulators, banks and FinTechs consider future options. In May 2017, the European Commission Vice President Dombrovskis asked the EBA to reconsider the proposed ban, in order to safeguard access for FinTechs and create a level playing field. A response is expected soon. More recently, in June 2017, the EBA refused to back down on banning screen-scraping, saying that the European Commission’s proposal to allow some screen-scraping as a back-up, would not comply with PSD2. We will monitor these developments as they evolve.