22 May What is Screen Scraping, the EU GDPR, its ban under PSD2, and why should we care?
January 2018 is when the upcoming and revised Payment Services Directive 2 (PSD2) is set to be implemented, which will change retail banking as we know it, removing many monopolies that banks had until now.
The PSD2 aims at establishing the legal framework conditions for the development and the supply of payment services in the EU for many years, including conflict-ridden relations between the established payment service providers and the new Internet-based and mobile-based disruptors. It introduces a number of new market players such as payment initiation services providers and account information services providers and the regulation of known structures such as limited networks and a number of other issues, including not least IT security, has been changed and made stricter. Legislation is also changing, and the outlines of the PSD2 have now become clear.
One of the issues that the PSD2 will address is Screen Scraping, which is a process of collecting data that appear on the screen from one application in order to translate it into the display of another application. For example, let’s say that a company wants to create a mobile app or a new interface that gives users of said application access to their bank account. They can use screen scraping software that will collect data from the bank’s interface, translate it to their own, and then provide a better interface with the same inputs and outputs of data. This sounds sinister and potentially hazardous for the protection of client data in case of malicious use of said technology, however there are a lot of important reasons to use screen scraping, if used with the consent of the end consumer. Screen scraping can be used by third-party fintech companies and the banks themselves to create interfaces that will provide direct automated access to one’s accounts. As such, with the customer’s permission, screen scraping can be used to automate access to their online services through the front door, without creating specific back-door direct access software, something that might be costly and time-consuming.
What is the argument against it?
The problem arises when clients are trained to trust third-party software to collect and use their data, and that banks do not have the adequate systems and controls to check each and every third party that offers their own interface to access their bank account. Whether that is an issue that merits a regulatory intervention is a point of contention.
PSD2 bans Screen Scraping(?)
Due to the possible issues arising from malevolent use of this technology, on February this year the European Banking Authority announced its intention to outlaw this practice in one of their Regulatory Technical Standards that complement the PSD2. This is still under discussion as the Technical Standards can change before implementation, however the European Banking Federation as of May 18th has officially asked the EU Commission to support and impose this ban, following a manifesto by 65 European fintech companies asking not to outlaw “the only functioning technology used for bank-independent payment initiation services”.
Many fintech companies rely on screen scraping to offer legitimate products that offer an arguably better service than what would have been offered by the in-house IT team of a bank. Furthermore, under PSD2, a fintech firm can become regulated to offer Electronic Money (EM) services, and in which point the customer will make an informed decision to trust said company with their data; being regulated under the new PSD2 regime should also be the strongest argument against believers that screen scraping should be banned to protect the end consumer from phishing attempts.
It is argued that consumers should be allowed to give their consent for reputable and regulated entities to share their login details. For example, a fintech regulated as a Payment or Electronic Money Institution within the EU, following their client’s consent, could share their login details with their banking institution again within the EU; and the consumer’s prerogative in sharing their information is one of the main stipulations of the upcoming EU General Data Protection Regulation (GDPR).
The only way that the above stipulation by the GDPR can be implemented is by permitting automated direct access of the consumer’s data between various institutions and interfaces – or screen scraping. Also, GDPR covers any other concerns of retrieving data other than what the client has given consent for, making it impossible and illegal to data-harvest with limited consent.
Should we care?
We should care, but this is a three-sided argument, so to root for or against this change depends on which side of the argument you lie.
From a bank’s and regulator’s perspective, banning screen scraping altogether makes it much easier to implement the systems and controls that would make it more difficult for the unauthorised collection and distribution of client data among third parties. It will give banks the final authority on who can gain access to their back-door API, ensuring that their client data is secure.
From a fintech perspective, this will hinder innovation and advancement in technology. There has been a tremendous increase in the demand for innovative online payment services and the provision of financial products through new and emerging electronic platforms. Demand for such services is expected to increase exponentially with the influx of tech-savvy consumers of financial products, as late Millennials and early Generation Z customers enter the market. Furthermore, being beholden to the banks’ discretion in giving accesses to their back-door introduces another massive barrier to newcomers or even established fintech EMIs. Furthermore, banks might not have the incentive to change their own APIs to accommodate new technologies created by the fintech sector, theoretically delaying innovation.
Lastly, from a consumer’s perspective, the arguments can go either way, but with the introduction of GDPR, most arguments on safety and control of data goes out the window, leaving only the argument that any hindrance in development is unwelcome. This is seen as an anticompetitive rule, quite removed from EU’s clear intentions in promoting competition and innovation.
The world economy is slowly emerging from a devastating and crippling recession which left the Financial Services Sector in probably its lowest point in terms of consumer confidence since the Great Depression. Most regulations introduced since 2008 were aimed at exactly this: increase confidence in the sector by ensuring consumer protection. We see then a global movement by all regulators in increasing risk-aversion, enforcing strict compliance, and limiting or sometimes outright banning products and practices that are seen risky for retail clients and investors (see Dodd-Frank act for example). In this sense, banning a potentially risky practice might seem as the right thing to do, but within the context of upcoming regulations on data protection and the requirement for licensing to offer said products, this might seem as counter-intuitive in an era deemed as ‘the age of the fintech’.
What should probably be required from the sector, instead of banning this practice, is to increase awareness of the dangers of trusting unregulated entities, educate clients, and increase disclosures of all entities to their clients on where and how their data is used, issues introduced by the GDPR. As such, time will show how PSD2 will affect the fintech sector, what we do know, is that it will completely change the way we bank.
The European Institute of Management and Finance (EIMF) is offering a specialist full-day course on PSD2 with experts from Paul Hastings in London. For more information, visit here.