Conversations are ongoing between the European Commission (EC) and the European Banking Authority (EBA) around the Regulatory Technical Standard (RTS) for Strong Customer Authentication (SCA) under the Payment Services Directive 2 (PSD2), specifically with regards to Screen Scraping.
Screen Scraping is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on the client’s behalf using the client’s username and password credentials. The practice was prohibited in the EBA’s final draft RTS.
However, several FinTech firms are coming forward and reporting a general lack of readiness by banks to implement newer, safer methods of delegated access control. As a result, the EC is now urging the EBA to let companies use screen scraping as a “fallback option” to more secure methods, such as application programming interfaces (APIs).
Because it involves the sharing of and use of customer passwords, the FIDO Alliance sees three main problems with endorsing Screen Scraping:
- It doesn’t meet the security requirements called for in PSD2.
- It puts consumers at increased risk.
- Any approach where a third-party can “log in as if they were a consumer” puts all parties at risk.
We do not see any way in which the Screen Scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials – writes Brett McDowell, executive director, FIDO Alliance.
These API solutions, based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), have the added benefit of providing not just better security but also better privacy. They let consumers grant access to their bank accounts and share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easier for consumers to use than typing codes into a form.
To the extent that the EC believes a “fallback option” such as screen scraping needs to be supported while banks come up to speed with PSD2, we suggest that this may be better addressed through a policy exemption to the RTS, rather than in the RTS itself. The RTS, by its nature, is an important technical standard that will guide the market for years to come.
As such, the RTS should focus on setting a high mark for SCA and common and secure communication under PSD2 – not articulate methods for stakeholders to avoid their responsibilities under this historic advancement in consumer protection policy. Inclusion of the “fallback option” in the RTS itself would dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk.
For more information on these topics please Download: