Brett McDowell, executive director, FIDO Alliance
Should screen scraping be allowed, even as a fallback option, under Payment Services Directive 2 (PSD2)? The FIDO Alliance has been closely observing the discussions on this topic between the European Commission (EC) and European Banking Authority (EBA) as it relates to the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) under PSD2. I detailed the FIDO Alliance’s answer to that question in a letter to the European Commission and European Parliament last week, the key points of which are summarized below (you can read the full letter here).
“Screen scraping” is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on the client’s behalf using the client’s username and password credentials. The practice was prohibited in the EBA’s final draft RTS. However, several FinTech firms are coming forward and reporting a general lack of readiness by banks to implement newer, safer methods of delegated access control. As a result, the EC is now urging the EBA to let companies use screen scraping as a “fallback option” to more secure methods, such as application programming interfaces (APIs).
Because it involves the sharing of and use of customer passwords, the FIDO Alliance sees three main problems with endorsing screen scraping:
- It doesn’t meet the security requirements called for in PSD2.
- It puts consumers at increased risk.
- Any approach where a third-party can “log in as if they were a consumer” puts all parties at risk.
We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials. These API solutions, based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), have the added benefit of providing not just better security but also better privacy. They let consumers grant access to their bank accounts and share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easier for consumers to use than typing codes into a form.
To the extent that the EC believes a “fallback option” such as screen scraping needs to be supported while banks come up to speed with PSD2, we suggest that this may be better addressed through a policy exemption to the RTS, rather than in the RTS itself. The RTS, by its nature, is an important technical standard that will guide the market for years to come. As such, the RTS should focus on setting a high mark for SCA and common and secure communication under PSD2 – not articulate methods for stakeholders to avoid their responsibilities under this historic advancement in consumer protection policy. Inclusion of the “fallback option” in the RTS itself would dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk.
To read Brett’s full letter to the European Commission and European Parliament, click here.