Banks represented by the European Banking Authority (EBA) and Fintechs represented through the Future of European Fintech are in profound disagreement about the technical standards for the implementation of the Second Directive on Payment Services (PSD2). Banks argue that screen scraping should be banned in favor of application programming Interfaces (APIs) controlled by the banks; Fintechs reply that banks’ APIs are not ready and that the premature ban on screen scraping is a political move to kill third-party payment Fintechs.
Will the whole dispute derail the EU’s progress towards Open Banking? The risk is there.
The topic was debated at the Payments and Fintech Club of the Digital Business Association ACSEL by French lawyer Laetitia de Pellegars, from Pellegars Legal, and by panelists at a panel discussion moderated by Laurent Nizri, CEO of Altéir and VP of ACSEL, with Georg Schardt, CEO of payment Fintech SOFORT, Geoffroy Goffinet, Adjunct Director of Licensing at French Financial Services Regulator, ACPR, and Fabrice Denèle, Chairman of the Payments Committee of the European Savings and Retail Banking Group and Head of Payments at French banking group BPCE.
What is PSD2?
For readers who are not familiar with the workings of the European Union: The Second Directive on Payment Services (PSD2) is a European Union (EU) directive which requires that banks give access to the account data of their customers to the licensed third-party payment service providers (TPPs) with whom customers have agreed to share their data. Examples of TPPs are:
- Account Information Service Providers (AISPs): better known as account aggregators and personal finance management software such as the French Bankin and Linxo, Swedish Tink and Spanish Eurobits.
- Payment Initiation Service Providers (PISP): licensed to initiate payments such as German Sofort and Swedish Trustly.
The country indicated is the country of origin but many TPPs are international.
PSD2 is clearly a step towards Open Banking, enabling third-party developers to build applications and services around the banks’ own.
The directive was formally approved by the European Parliament in 2015 and the Member States are due to transposing it into national legislation by January 2018.
The European Banking Authority (EBA) was mandated to draft the Regulatory Technical Standards (RTS) for the implementation of the directive which include the standards for strong customer authentication and for the communication between banks and third-party payment service providers (TPPs).
In February 2017, the EBA submitted a draft which is the object of the current dispute between banks and fintechs. Once the discussion is closed, the European Commission will have the final word on the technical standards which are supposed to come into force only in 2019.
In what follows, for the purpose of simplification, I oppose banks/the EBA to Fintechs/TPPs even though the EBA does not necessarily represent the opinion of all banks, and the Future of Fintech Alliance the opinion of all fintechs/TPPs. I also focus solely on screenscraping, even though there are other contentious issues.
[clickToTweet tweet=”The goal of #PSD2 is to enable European innovators to develop new modes of access to financial services #Fintech” quote=”The goal of #PSD2 is to enable European innovators to develop new modes of access to financial services #Fintech”]
The dispute over screen scraping
The draft of the regulatory technology standards for the implementation of PSD2 submitted by the EBA proposes that screen scraping be banned and that TPPs be required to go through the banks’ proprietary APIs to access account data.
As a reminder screen scraping is the use of technology to automatically extract information from a Web page designed to be viewed by customers ‒ hence it is referred to as a “customer-facing interface,” as opposed to the “application programming interface” (API)-access to data.
The EBA’s proposal generated an outcry among TTPs and Fintechs in general. Grouped in the Future of Fintech alliance, 72 of them signed a manifesto arguing against the ban of screen scraping. Their arguments seemed to convince the European Commission who proposed to amend the EBA’s proposal to allow for the use screen scraping as a fallback option in case a bank’s dedicated API would not perform as required under the technical standards.
European Commission Vice-President Valdis Dombrovskis declared in May 2017:
“We will [..] ask the European Banking Authority to have another look at the draft standards for data interfaces, and at proposals to allow Fintechs access to the customer-facing interface, whenever the dedicated interface breaks down or is not performing properly. […] This would safeguard the continuity of access for Fintechs, while still allowing banks to require Fintechs to use dedicated interfaces in normal conditions.”
I what follows I summarize the arguments presented in writing by each side in the latest round of the dispute.
Banks argue that screen scraping is obsolete, unsafe, distracting, and costly
The EBA argues that it has fully respected its mandate to define technical standards that ensure discrimination-free access to bank account data by competitors, including TPPs, by advocating the sole use of dedicated APIs. According to the EBA, APIs are the solution of the future whereas screenscraping is a solution of the past.
The banking authority acknowledges the concern of TPPs that some banks might not being able or willing to deliver a dedicated interface, but argues that allowing screen scraping as a fallback option is not a viable solution as it creates the following problems:
- Cost increases: banks and TPPs would have to bear the costs of operating two interfaces to access account data, API and screen scraping.
- Fragmentation: without a single clear standard, some banks might give up developing APIs.
- Barrier for new TPPs: banks like to call the Fintechs who signed the Manifesto against the ban of screen scraping the “incumbent” TPPs, and argue that new TPPs would be hampered by the need to develop two types of interfaces.
- No reliable fallback: If a bank’s API fails to perform, its customer interface, hence screen scraping probably fails, too.
- Incompatibility with PSD2 security: If, as the Commission proposes, banks must provide the fallback option within 30 seconds of an API failing, this lapse is not long enough for security checks.
- Supervisory constraints: The competent authorities would not be able to determine which APIs worked and which did not work.
- Lack of consumer understanding: Customer would find it difficult to understand what he consents to if there were several technology options.
Therefore, the EBA proposes to abide by its proposal, to ban screen scraping, and to set clear performance targets, test phases, and review mechanisms to make sure that banks deliver performing APIs.
Fabrice Denèle, Chairman of the Payments Committee of the European Savings and Retail Banking Group and Head of Payments at French banking group BPCE summarized the banks’ position during the above-mentioned debate:
“The commission says we need the spare wheel option […]. The commission wants us to put in place a vault with a secure door, but a back door with unsecured access.”
“What we have achieved in terms of reliability is 99.9%. We are ready to go live [with APIs].”
Fintechs argue that screen scraping is safe, operational, and easily made PSD2 compliant, and that EBA denies this reality in bad faith
The TPPs represented by the European Future of Fintech Alliance argue that:
- The EBA failed its mandate to draft technology- and business-neutral standards by not consulting non-banks and disregarding their needs and expressed requests.
- By requiring that TPPs access customer data obligatorily and solely through bank-controlled APIs, the EBA hands to banks power over the TPPs, as if non-bank TPPs were second-class financial services accountable to banks, instead of independent financial firms accountable directly to the regulators and to their customers.
- The EBA proposals are in denial of the market and technological realities which are that screenscraping is currently the working technology universally used by banks and non-banks, and that not all 4,000 EU banks are ready, or even willing to provide functioning APIs within the required time frame.
- As small firms, TPPs do not have the banks’ deep pockets and cannot suffer service interruptions. The EBA proposal, therefore, endangers their survival even though the safe integration of TPPs was the goal of the PSD2.
In detail, the Future of Fintech alliance rebuts the EBA’s above-mentioned arguments which, in its opinion, are not made in good faith:
- Minimal cost: As screen scraping and APIs would use the same authentication mechanism, costs would be minimal.
- Benchmark: Screen scraping has handled hundreds of millions of transactions without security incident. It does not deter API development but sets the bar for API performance.
- Barrier for new TPPs: By claiming that screen scraping as a fallback solution gives an advantage to existing TPPs over new ones, the EBA implicitly admits that APIs might not be available and performing. In reality, the main barrier to the entry of new TPPs is the (sometimes publicly acknowledged) anti-competitive behavior of many banks who hamper data access, for example, through redirections or multiple logins.
- Reliable fallback: Screen scraping relies on technologies proven by 15 years of positive experience. APIs are new developments for many banks that lead to incidents such as, for example, the 6-month interruption of service of the Swedish Swish API solution.
- Compatibility with PSD2 security: In the past, the EBA argued, in spite of evidence to the contrary, that screen scraping was not safe. Now faced with the fact that screen scraping can use the same PSD2-compliant authentication as APIs, the authority persists in mischaracterizing screen scraping as a “back door.” Both doors use the same key.
- No supervisory load: Competent authorities don’t monitor financial systems in real time.
- Customers trust TPPs: Banks have problems accepting that customers want to use innovative TPP services and trust them.
Fintechs conclude that PSD2 was meant to enable TPPs to operate under regulatory supervision to ensure security standards. The regulatory standards proposed by the EBA want to force TPPs to drop their proven technology in favor of unproven, bank-controlled APIs. In their opinion, this is an underhanded way to block them.
In the words of Georg Schardt, CEO of SOFORT a German TPP:
“Do it [APIs for all banks] and if it works, we will use it. But DO IT FIRST.”
Derailing Progress Towards Open Banking
As underlined by Geoffroy Goffinet, of the French Financial Services Regulator, ACPR, the regulator aims to be technology neutral. In this respect, the ACPR follows the lead of the European Commission in advocating the choice between APIs and PSD2 compliant screen scraping – the improved version of screen scraping in which TPP are identified through a PSD2 compliant mechanism.
For Laetitia de Pellegars of Pellegars Legal, it is important to remember what is at stake in this dispute: no less than access to customer data, and, through it, the ability to mine customer data to offer more and better services.
The goal of the second payment directive is, in principle, to enable European innovators to develop new modes of access to financial services, new ways of contracting a financial relationship, new onboarding processes. As it stands, however, the PSD2 process is achieving the contrary: blocking existing Fintech innovators and deterring new ones. Indeed, Ms. Pellegars sees flaws in the regulatory process itself:
- The time delay between the entry into force of PSD2 in January 2018 and the posterior entry into force of the PSD2 technical standards by mid-2019 is bound to create problems for TTPs in the intermediary phase,
- The separation between the regulation of payment data by PSD2 and the regulation of wealth management data by MIFID prevents the regulators from addressing the full issue of new application and services based on customer data.
Ms. Pellegars concluded with a warning: this is harming Europe’s capacity to compete with non-European payment service providers such as Apple Pay, WeChat Pay, Ali Pay.
[clickToTweet tweet=”Open Banking is going to happen, whether banks want it or not #Fintech #PSD2″ quote=”Open Banking is going to happen, whether banks want it or not #Fintech #PSD2″]
Derailing the EU’s Progress towards Open Banking
It is difficult to side with the EBA on this issue because it is very difficult to see how its proposal to ban screen scraping in the short-term would not severely handicap, if not kill many of the TPPs, the very innovators whom the PSD2 was designed to integrate into a safe open banking environment.
There is no point in beating around the bush: banks were very reluctant to give access to bank account data to aggregators and personal finance management applications when those hardly took any revenue from them. They were much more upset by payment initiators who have the potential to take away from their payment revenues. Now they fear to lose the customer relationship. Yet, the writing is on the wall. Open Banking is going to happen, whether banks want it or not, not least because customers enjoy the convenience and choice it brings.
Trying to slow down the change by hampering emerging European innovators is not the answer, especially if Continental Europe wants to keep pace with non-EU competitors, including the UK whose Open Banking initiative is still on track with meeting the original PSD2 schedule.
Therese Torris, PhD, is a Senior Contributing Editor to Crowdfund Insider. She is an entrepreneur and consultant in eFinance and eCommerce based in Paris. She has covered crowdfunding and P2P lending since the early days when Zopa was created in the United Kingdom. She was a director of research and consulting at Gartner Group Europe, Senior VP at Forrester Research and Content VP at Twenga. She publishes a French personal finance blog, Le Blog Finance Pratique.