The EBA is wrong about screen scraping (Part 1)
On 23 February, the European Banking Authority (EBA) announced its intention to outlaw ”screen scraping”.
Screen scraping sounds sinister. In fact, it simply refers to the practice of automating any internet browsing interaction, in this case with a bank, using their existing, direct customer user interface (online banking) with the customer’s permission. Therefore, let me rather call it “permitted automated direct access”, which describes it better and is less derogative.
The EBA suggests that banks can deny this type of “direct access” through their front door, if they are providing another “indirect access” possibility via a new to be developed API at their back door. Customers, the argument goes, are being trained to enter their online banking credentials into third-party websites and banks do not have an adequate oversight of who is accessing their customers’ data.
Infantilising the consumer
The problem here is that we’re engaging with perception rather than dealing with substance. Consumers who share their login credentials with a PSD2-licensed fintech company are making an informed decision. They have complete control — and oversight — over who accesses that data. And that’s the crucial point: the consumer is in control, not the bank and not the fintech. And that’s exactly as it should be.
Of course, consumers must be protected against malicious “phishing attempts”, which is what the PSD2 security elements mentioned below are all about, but that applies to bank and fintech websites in the same way and also independently of using front or back doors.
Sharing login details between reputable financial services companies, subject to a competent financial regulator (for instance, the FCA in the UK or the BaFin in Germany) is perfectly secure. Such companies are regularly audited and must, by law, take all necessary technical, legal, and procedural steps to protect consumer data. This absolutely includes login details, but also includes the actual financial data itself. If they make a mistake, they are liable for providing restitution — so you can bet your bottom dollar that they are serious about not making mistakes.
As a matter of fact, the new General Data Protection Regulation (GDPR) stipulates that consumers shall be enabled to access all their data, retrieve it and share it – or not – depending on their explicit consent. The only feasible technology for achieving this is the permitted automated direct access of the consumer’s data via the very same interface they are using manually – and this does not just apply to banks, but also insurances, telecoms, social media sites and any other company storing data on behalf of their customers.
What’s more, European data-protection laws also demand proportionality in how data is collected and used. The customer’s consent only covers data strictly necessary to the job with which the he or she has tasked the company. In the US, there has been some concern that screen scraping might give financial-service companies ongoing access, allowing them to harvest a broad range of data from customer accounts. In Europe, this just isn’t possible.
To the contrary, PSD2 stipulates the use of Strong Customer Authentication (SCA) to disable the potential misuse of static login data by requiring a second factor, e.g. a one-time password, to authorise any particular transaction. It also stipulates that licensed fintechs have to properly identify themselves to the banks. The rumour that this would not be possible with direct access is simply not true – fake news! The certificate approach suggested by the RTS can be used equally well for direct or indirect access.