October 16, 2017

October 13, 2017

Subscribe to Latest Legal News and Analysis

The Screen Scrape Debate Will Not Abate

The debate surrounding “screen-scraping” continues as Member States of the European Union are preparing for the impending Second Payment Services Directive (“PSD2”). Screen scraping is the practice in which third-party Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) are granted access to bank accounts of a client utilising their credentials to perform a service. As heralded in our discussion in July identifying the problem, the European Banking Authority (“EBA”) maintained their stance of outlawing the practice in the final draft Regulatory Technical Standards (“RTS”) on secure communication and Strong Customer Authentication (“SCA”). Consistent industry pressure has led the European Commission (“EC”) to request of the EBA to permit AISPs and PISPs to utilise screen scraping as a “fallback option”.

The Fast IDentity Online (“FIDO”) Alliance, a consortium of over 250 organisations collaborating and developing industry best practices in online authentication, recently wrote to the EC commenting on key issues suggesting that endorsing screen scraping as a “fallback” is problematic and not acceptable. The lead concern is one of security. PSD2 and the General Data Protection Regulations (“GDPR”) are consistent on their emphasis on security, and the very idea of permitting consumers to provide their credentials to a third-party is inconsistent with both PSD2 and the GDPR principles (GDPR is due to be implemented by Member States in May 2018). In addition, with the requirement of Application Programming Interfaces (“APIs”), allowing those third-parties the same access via the consumer’s bank; it is argued that this API proves to be the most efficient method of access.

Brett McDowell, executive director of the FIDO Alliance commented: “We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2…. Sharing passwords is simply a bad practice from a security perspective.”

FIDO proposes a solution of allowing banks to be provided more time to comply with the new regulations. It is expected a response, from the EBA, to this will come shortly. We will continue to monitor these developments.

Copyright 2017 K & L Gates

TRENDING LEGAL ANALYSIS


About this Author

Judith E. Rinearson, KL Gates, federal consumer protection lawyer, anti money laundering attorney
Partner

Judith Rinearson is a partner in the firm’s New York and London offices. Ms. Rinearson concentrates her practice in prepaid and emerging payment systems, electronic payments, crypto/virtual currencies, reward programs, ACH and check processing. She has more than 25 years of experience in the financial services industry, including 18 years at American Express’s General Counsel’s Office. Her expertise focuses particularly in the areas of emerging payments and compliance with state and federal consumer protection laws, anti-money laundering laws, state money transmitter...

212-536-3928