Out-Law / Your Daily Need-To-Know

PSD2: 'screen scraping' ban confirmed in finalised standards

Out-Law News | 28 Nov 2017 | 9:52 am | 4 min. read

Financial technology (fintech) will be banned from using software to 'scrape' data held by banks to provide services to their customers under new regulatory technical standards (RTS) in Europe.

The ban is likely to be effective from a date in late September 2019, according to a timetable explained by the European Commission.

Although 'screen scraping' will be barred from the date that the newly finalised RTS on strong customer authentication and common and secure open standards of communications (31-page / 530KB PDF) take effect, the RTS set out new, formal, requirements on banks and other account servicing payment service providers (ASPSPs) over how they must enable third parties to access the payment accounts data they hold.

"It is no surprise that the Commission has confirmed the ban on screen scraping," said financial services and technology law expert Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com. "However, what is also interesting in the RTS is the slight relaxation of the commitment to maintain a contingent means of access for payment initiators. This only applies where the ASPSP can demonstrate that their interface is reliable and offers access on a basis equivalent to that enjoyed by customers."

"We expect banks to welcome this amendment since it reduces the requirement on them, but they will need to ensure that their dedicated interface provides necessary access," she said.

The RTS that the Commission has published is subject to three months of scrutiny by the European Parliament and EU's Council of Ministers. The standards will take effect 18 months after they are published in the Official Journal of the EU (OJEU). They will apply under the EU's revised Payment Services Directive (PSD2).

PSD2 provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts and payment account information held by ASPSPs. The provisions are designed to enable those businesses, which have emerged onto the payment services market in recent years, to help consumers to make payments and review information from their payment accounts. In return, PSD2 will subject AISPs and PISPs to regulation for the first time.

The detail of how AISPs and PISPs will be able to exercise their access rights is not specified in PSD2. Instead the Directive provided for that detail to be set out in RTS that were to be drafted by the European Banking Authority (EBA) and implemented by the Commission.

The publication of the new RTS marks the end of months of uncertainty over the make-up of the new standards following disagreement between the EBA and Commission over their contents.

PSD2 will take effect in national laws across the EU by 13 January 2018. A transitional period will therefore apply where PSD2 provisions will apply but the RTS on strong customer authentication and common and secure open standards of communications will not.

The Commission has confirmed that some of the security requirements that PSD2 sets out will not apply until the new RTS take effect.

"The application of security measures in Articles 65, 67 and 97 of PSD2 is postponed until the RTS becomes applicable," it said. "However, those parts of Articles 65, 67 and 97 that are not dependent on the RTS will apply as of 13 January 2018."

According to the new standards, ASPSPs must either enable third party access to the data through the same interfaces they use for interacting with customers, or alternatively develop a new 'dedicated interface' for that purpose. A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected.

The Commission said: "All communication interfaces, whether dedicated or not, will be subject to a three-month 'prototype' test and a three-month 'live' test in market conditions. The test will allow market players to assess the quality of the interfaces put in place by account servicing payment service providers, including banks. A quality dedicated communication interface should offer at all times the same level of availability and performance the interfaces made available to a consumer or a company for directly accessing their payment account online. In addition, a quality dedicated interface should not create obstacles to the provision of payment initiation or account information services."

"Payment service providers, including banks, will have to define transparent key performance indicators and service level targets for the dedicated communication interfaces, if they decided to set them up. These performance indicators should be at least as stringent as those set for the online payment and banking platforms used by the customers," it said.

Where ASPSPs decide to develop a dedicated interface for enabling third party access to data, they will also have to develop "a strategy and plans for contingency measures" to account for instances where the interface underperforms, or where there is "unplanned unavailability of the interface" or "a systems breakdown".

"Unplanned unavailability or a systems breakdown may be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services are not replied to within 30 seconds," according to the new standards.

In some cases contingency measures that ASPSPs must provide for will include provision for the third parties to use the interface they use for authenticating and communicating with customers. However, regulators will be able to exempt ASPSPs from this requirement where their dedicated interfaces meet certain criteria, including passing the testing phases and have been shown to work for at least three months in live conditions.

The Commission said: "For cases where a dedicated interface has been exempted from the contingency mechanism based on the customer interface but no longer meets the requirements for such an exemption, or cases where an ASPSP fails to offer any interface that complies with the requirements of PSD2 and the RTS, the Commission has introduced a provision to ensure business continuity in the payments market. In such a situation, competent authorities shall guarantee that PISPs and AISPs are not blocked or obstructed in the provision of their services."