Blog

The EBA is wrong about screen scraping — and it’s going to hurt European fintech!

23.03.2017

On 23 February, the European Banking Authority (EBA) announced its intention to outlaw ”screen scraping” in one of their Regulatory Technical Standards (RTS) complementing the revised Payment Services Directive (PSD2), set to come into force in January 2018. Screen scraping sounds sinister. In fact, it simply refers to the practice of automating any internet browsing interaction, in this case with a bank, using their existing, direct customer user interface (online banking) with the customer’s permission. Therefore, let me rather call it “permitted automated direct access”, which describes it better and is less derogative.

The EBA suggests that banks can deny this type of “direct access” through their front door, if they are providing another “indirect access” possibility via a new to be developed API at their back door. Customers, the argument goes, are being trained to enter their online banking credentials into third-party websites and banks do not have an adequate oversight of who is accessing their customers’ data.

Infantilising the consumer

The problem here is that we’re engaging with perception rather than dealing with substance. Consumers who share their login credentials with a PSD2-licensed fintech company are making an informed decision. They have complete control — and oversight — over who accesses that data. And that’s the crucial point: the consumer is in control, not the bank and not the fintech. And that’s exactly as it should be.

Of course, consumers must be protected against malicious “phishing attempts”, which is what the PSD2 security elements mentioned below are all about, but that applies to bank and fintech websites in the same way and also independently of using front or back doors.

Sharing login details between reputable financial services companies, subject to a competent financial regulator (for instance, the FCA in the UK or the BaFin in Germany) is perfectly secure. Such companies are regularly audited and must, by law, take all necessary technical, legal, and procedural steps to protect consumer data. This absolutely includes login details, but also includes the actual financial data itself. If they make a mistake, they are liable for providing restitution — so you can bet your bottom dollar that they are serious about not making mistakes.

As a matter of fact, the new General Data Protection Regulation (GDPR) stipulates that consumers shall be enabled to access all their data, retrieve it and share it – or not – depending on their explicit consent. The only feasible technology for achieving this is the permitted automated direct access of the consumer’s data via the very same interface they are using manually – and this does not just apply to banks, but also insurances, telecoms, social media sites and any other company storing data on behalf of their customers.

What’s more, European data-protection laws also demand proportionality in how data is collected and used. The customer’s consent only covers data strictly necessary to the job with which the he or she has tasked the company. In the US, there has been some concern that screen scraping might give financial-service companies ongoing access, allowing them to harvest a broad range of data from customer accounts. In Europe, this just isn’t possible.

To the contrary, PSD2 stipulates the use of Strong Customer Authentication (SCA) to disable the potential misuse of static login data by requiring a second factor, e.g. a one-time password, to authorise any particular transaction. It also stipulates that licensed fintechs have to properly identify themselves to the banks. The rumour that this would not be possible with direct access is simply not true – fake news! The certificate approach suggested by the RTS can be used equally well for direct or indirect access.

The danger in getting this wrong

Globally, fintech — particularly in the payments industry — is at a crucial stage in its development. E/M-commerce is booming. Volumes are expected to grow exponentially over the next few years. This is driving a rapidly growing demand for innovative online payment and financial products. So far, Europe has been one of the main beneficiaries of this development.

Two key planks of this success have been European fintech’s ability to innovate and its ability to provide a good customer experience. The ban on permitted direct access to customer data puts both at risk. If fintechs must always go through the bank’s back door API, they are essentially beholden to the banks, which could then “control the innovation” – that’s like letting the fox guard the henhouse. If the development of a bank’s API lags behind changes to the way its accounts are structured or the way its online banking works, then EU fintechs — and ultimately consumers — will be at a disadvantage.

At the same time, permitted direct access is the easiest and quickest way for a consumer to get started with a new financial provider. The vast majority of them are using this type of access today – including banks by the way! By forcing the consumer to take a more complicated route to sharing his or her data, the EBA would bring existing competition to a halt and make the customer experience less seamless. This will hurt not just such new providers, but also the conversion rates of many merchants.

The only way to motivate banks providing and sustaining an equally good – or even better – indirect (API) access than what they offer their customers directly is the following: leave the decision about which one to use to the consumer and their chosen fintech. Leaving it to the banks instead and then hoping for a level playing field by regulating and trying to enforce things like “functionality”, “availability” and “performance” levels of APIs will just create endless arguments and disputes between the parties, make the courts even busier and turn lawyers – not consumers – into the real beneficiaries of PSD2.

Driving competition into Financial Services by banning direct access is like promoting electrical cars without allowing them on to public streets. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use! Banks can always be a big step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door.

Some banks will want to provide great APIs to attract many fintechs around them and create a whole ecosystem, similar to what Apple and Google achieved with their app stores. Some others – probably the majority I would guess – will prefer to do nothing and save their money and scarce tech resources for more burning problems. The remaining banks in-between will do the minimum to comply and the maximum to hinder the new competition knocking at their front or back door.

The new competitors will want to use APIs if they are good, because it’s easier than automating the direct access, but they will not want to use them if they are not so good, because it would lead to not so good services to their customers, which by the way are also the customers of that bank – not to be forgotten!

In November 2016, the European Commission established a Financial Technology Task Force, with the aim of helping fintech in the EU reach its full potential. 2017, we were told, was going to be the “year of fintech” in the EU. Potentially hamstringing EU fintechs with an anti-competitive rule is an odd way of showing it.

What should we be doing?

To really protect consumers, the EU needs to help them understand how to choose the right providers when buying financial services and to safeguard against the use of malicious ones. National authorities should rigorously enforce existing laws on data protection and information security, making an example of any company which fails to meet proper standards either in the collection or use of data. This would do what the misguided EBA ban on “screen scraping” aims to do, but cannot, without harming the growing EU fintech sector.

“Permitted automated direct access” should be recognized as one of the most important enablers for innovation and competition in general, and not just in the financial services industry. Therefore, governments, regulators and competition authorities should embrace it and focus on keeping it secure and efficient, rather than throwing it out with the bathwater.

To be fair, the European Parliament recognizes this already judging by a letter[1] they wrote in October 2016. Amazing that the EBA chose to do the opposite, and I can only hope that the parliament will insist and prevail!

Properly nurtured and regulated, European fintech will continue to be a success story: an engine of growth and a job creator, at exactly the time such things are sorely needed. This isn’t the time to put that at risk, particularly not for the sake of excessive legislation that won’t achieve its stated aim.

[1] https://www.eba.europa.eu/documents/10180/1656822/(EBA-2016-E-957)%20Letter+from+MEPs+Ferber+and+Tajani+re+PSD2.pdf/0cd3dd58-ec5d-40a0-8d5b-6e7917f0ac56