Banning direct access to customer bank accounts could severely hamper the European fintech industry. The debate between banks, fintechs and the EBA is far from over.

PSD2: a summary

First we had PSD2 – the revised Payments Services Directive, due to be implemented in January 2018. This overhaul of payments in the European Union will drive through three main changes:

1. it will regulate third party providers (TPPs), such as account information service providers (AISPs) and payment initiation service providers (PISPs), setting standards for how these third parties gain access to customer bank account data;
2. it will enable 'access to accounts', by obliging banks to make their customer bank account data available to APIs, provided customers have given authorisation for the third-party access;
3. it introduces greater security requirements for the initiation of payments (referred to as strong customers authentication or SCA), plus strengths consumer rights.

Ban on screen scraping

This sounded like a good thing, especially for consumers, who would have more protection. But the European Banking Authority (EBA) announced on 23 February that it would ban the practice of 'direct access', which enables authorised, licensed TPPs to gain access to customer bank account data through the bank's online customer interface. This practice is often referred to as screen scraping.

Since then, the European Banking Federation (EBF) and a group of fintech companies have clashed on this issue. The group of 70 fintech companies, calling themselves The Future of the European Fintech Alliance, complained to the European Commission that the 'ban on screen scraping' would not reflect the principles set out under PSD2's original text. The fintechs claim that 'direct access' is a proven and secure technology.

Impersonating the customer

In response, the EBF issued a video that sets out a simple explanation for why direct access should not be allowed, claiming that it poses a threat to customer security and could lead to legal problems related to who is liable for initiating a payment. The EBF claims that direct access allows third parties to gain access to their customers' bank accounts by impersonating the customer, using their access credentials.

It is this issue of identifying when a TPP is accessing an online account and when it's actually the customer, that seems to be at the heart of this disagreement.

EBF video could 'severely hamper' fintechs

The debate seems nowhere near resolved but one of Europe's fastest growing fintech businesses has weighed in and refutes the claims made in the EBF's video, saying that the EBF's campaign and video “could severely hamper the European fintech industry”. Ralf Ohlhausen, business development director a e-payments company PPRO Group, argues that the European Banking Authority (EBA) has already accepted screen scraping as compliant with PSD2, if undertaken by a duly licensed TPP that has properly identified itself to the bank. He says that the European bank lobby is asking the PSD2 legislator to give them the right to decide who shall be allowed to use it or not, because it would give them the power to end most of their existing TPP competitors, which rely on this technology. He states: “Their intention is to block TPPs from identifying themselves at their direct access customer facing (online banking) interface, knowing that such identification is mandatory under PSD2 to ensure that only licensed TPPs can access their accounts. To add insult to injury, their video then claims that it is the TPPs who do not want to identify themselves and impersonate the end customer instead."

---

CTMfile take: This is a row that is set to rumble on between two influential sets of lobbyists and it will be interesting to see who prevails.