PSD2: access to customer data, under the spotlight
One of the topics of debate in the European Union’s Payment Services Directive 2, better known as PSD2, is how to articulate the access to customer data by third parties. The European Banking Authority (EBA) has said it is in favor of access through Application Program Interfaces (APIs), which it regards as being more secure in protecting customer data. That position differs from the one taken to date by the European Commission.
PSD2 marks a revolution in the European payments system. One of its pillars is the banks’ opening to third parties of payment-related services. This allows third-party access to certain data of bank customers. And this is what has sparked the debate.
On the one hand, we have the defenders of access to data via “screen scraping,” a process by which a third party makes a copy of information contained on a website, by posing as an ordinary user. This method is generally used by non-banking companies specializing in financial services, in order to access data from bank clients. They need only have the permission of the customer to access that data. That is, the bank’s authorization would not be necessary, provided the third party is authorized or registered with the competent authority (in Spain, for example, this would be the Bank of Spain).
Banks, on the other hand, are in favor of access through “interfaces,” probably APIs, which are opened by the financial institutions. One fundamental difference is that the APIs are based on a native, machine-to-machine dialogue, while in “screen scraping,” the machine communicates with a machine that poses as a person.
What is screen scraping? from European Banking Federation on Vimeo.
The EBA, in its initial proposal, already wanted to prohibit screen scraping and to allow the non-bank players to access customer data through these APIs, for security reasons and in order to protect the privacy of the data.
The European Commission asked the EBA to amend its original text and proposed that screen scraping be maintained as an option. Specifically, the EC proposed enabling access to the data through screen scraping with identification of the third party, which would be activated as a support mechanism in case the APIs didn´t function.
However, the EBA firmly refused this method. It argued that the supposed benefits of maintaining screen scraping are not evident, compared to the risks it would entail for the customer data. The EBA shares the intention of the Commission to guarantee access to data, but not through this method. Instead, it recommends applying stricter standards to the banking interfaces.
This is the last word from the EBA, but the matter remains unresolved. Now the ball is the court of the Commission, which must make a decision. The text that will finally be adopted by the Commission must be ratified by the Council and by the European Parliament. Although the Commission seemed to be on the side of screen scraping, legislating in favor of it would mean going against the technical opinion of the EBA.
PSD2 entered into force in January 2016, but the majority of the countries will not transpose it into national legislation until 2018. For its part, this Regulatory Technical Standard (RTS) of secure authentication (which is the object of the discord) will enter into force 18 months after its definitive approval, which in practice would take its application into 2019.