'Screen scraping' to be prohibited under PSD2

Out-Law News | 22 Feb 2017 | 3:05 pm | 3 min. read

The practice of 'screen scraping' will be prohibited under new EU payment services laws, the chair of the European Banking Authority (EBA) has confirmed.

In a speech (6-page / 185KB PDF) in London on Tuesday, Andrea Enria confirmed that the EBA will make some changes to the regulatory technical standards (RTS) on strong customer authentication that it consulted on last year in light of concerns raised by industry.

Some of the changes will impact on the way third party account information service providers (AISPs) gain access to payment account information.

AISPs provide tools that allow users to see at-a-glance all their payment account information aggregated from across different accounts in the one place. At the moment, many AISPs rely on 'screen scraping' techniques to gain access to the information held by each payment service provider (PSP) used by its customers. However, Enria confirmed that screen scraping would be prohibited under PSD2.

"Having informally consulted with the European Commission on the interpretation of the Directive, the EBA has come to the conclusion that the current practice of third party access without identification that a few respondents referred to as ‘screen scraping’, or mistakenly as ‘direct access’, will no longer be allowed once the transition period under the PSD2 has elapsed and the RTS applies," Enria said.

Enria said that, under the final RTS on strong customer authentication, account servicing PSPs, such as banks, will be obliged to "offer at least one interface" through which AISPs and payment initiation service providers (PISPs) can access payment account information.

He confirmed, though, that the final RTS will impose a requirement on banks to ensure they "provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability".

The EBA is responsible for defining the RTS for strong customer authentication under the reformed Payment Services Directive (PSD2), which came into force last year. The Directive needs to be implemented into national laws across the EU by 13 January 2018. 

Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said the move to ban screen scraping goes against recommendations made by lead negotiators for the European Parliament on the PSD2.

In a letter to the EBA last autumn, MEPs Markus Ferber and Antonio Tajani raised concern with the EBA's proposals for a "dedicated interface" to be established to facilitate access to payment accounts for AISPs. They said AISPs should not have to "use a particular business model" to obtain direct access to accounts and warned it might allow banks and other account servicing PSPs to "exclude or limit direct access to the payer's account via existing online-banking facilities".

The MEPs said the EBA's standards should not prevent AISPs gaining "indirect access" to payment accounts. They also said the PSD2 requires the EBA to develop RTS that "secure and maintain fair competition among all payment service providers and to ensure technology and business-model neutrality".

McFadyen said that the shift away from screen scraping will be subject to time pressures in the UK as a result of Treasury proposals.

According to the Treasury plans for implementation of PSD2, the RTS on strong customer authentication would not be binding until 18 months after they have been finalised by the European Commission. However, the Treasury said that, account servicing PSPs "will be expected to provide access ... in line with the draft RTS wherever possible" from January 2018.

The EBA's final RTS on strong customer authentication were due to be published by 13 January 2017. The regulatory body opened a consultation on draft standards last summer, but its proposals were heavily criticised by industry, and led to Enria confirming in November that the EBA would probably be "a month or so" late in setting out the final standards. The final standards have yet to be published.

However, in his speech Enria provided further details of the changes that stakeholders can expect to see in the final RTS.

In its draft RTS, the EBA had proposed that its strong customer authentication protocols should apply to all remote payment transactions valued at over €10, subject to limited exceptions. Enria said that that threshold would be set at €30 in the final standards.

Two new exemptions will also be introduced, he said.

"With regards to the exemptions to the principle of strong customer authentication, the EBA will introduce two new exemptions, one based on 'transaction risk analysis' and the other for payments at so-called 'unattended terminals' for transport or parking fares," Enria said. "The exemption on transaction risk analysis will be linked to predefined levels of fraud rates, so as to provide incentives to strengthen the protection of customers. A review clause 18 months after the application date of the RTS has been introduced, to ensure that the calibration of the exemption is sufficiently conservative."

Calls from some stakeholders to exempt corporate payments from the strong customer authentication standards have, however, been dismissed, he said.

Under PSD2, the European Commission has the power to adopt the standards that the EBA develops.