Home » Bank Relationship Management & KYC » Evaluating Banks' Overall Performance

Why banks want a ban on ‘screen-scraping’

European banks have urged the Commission to go ahead with its proposed ban on so-called 'screen scraping', citing concerns for privacy of client data, cybersecurity and innovation.

Under the revised Payments Services Directive (PSD2), which will come into effect from January 2018, there are requirements for a general security upgrade for third-party access to bank clients' data, bringing an end to practices known as screen scraping. Amid some debate on the subject, the European Banking Federation (EBF) has made it clear that it supports the PSD2 requirements, which would end so-called screen scraping. But not everyone agrees and, last week, a group of European financial technology (fintech) companies asked the European Commission to consider revising its regulatory technical standards (RTS) for PSD2.

What is screen-scraping and why do banks want it banned?

The practice of screen scraping is often used by account information service providers (AISPs), which provide their customers with an aggregated view of bank account balances and account data. To do this, they need to use software that automatically collects information through a bank’s existing customer-facing online banking system. Crucially, it allows third party access without identification, which is why the European Banking Authority (EBA) confirmed in February this year that screen scraping would no longer be possible under the new RTS on strong customer authentication under PSD2. It said that the main problem with screen-scraping is that it does not meet security requirements under PSD2, which require that the flow of data between account servicing PSPs and third party providers (PISPs or AISPs) is not subject to unauthorised access and to ensure customer authentication details are confidential.

But the fintech companies who rely on this process say it is a secure, proven technology, also sometimes referred to as 'direct access'. The third party providers who use the process include payment initiation service providers (PISPs) and AISPs, which rely on screen scraping to access customer accounts and then deliver services to those customers.

Last week a group of 65 European fintech companies and associations sent a manifesto to the Commission, asking it to consider amending certain aspects of the current draft of RTS for PSD2, particularly with regards to allowing the practice of screen scraping. For more detail read: European fintechs ask EC to amend PSD2 technical standards

Some say that the banks are concerned about losing their control over access to customer data and therefore losing their direct relationship and interface with the customer. But the EBF says that such services allow third parties to gain access to their customers' bank accounts by impersonating the customer, using their access credentials. The EBF has produced this video explaining its concerns:

What is screen scraping?


CTMfile take: Do you see advantages to allowing third-party providers to gain access to customer bank account data? Or do you think there are security problems associated with the practice of screen scraping? Let us know in the comments below.

This item appears in the following sections:
Bank Relationship Management & KYC
Evaluating Banks' Overall Performance
Payments - Disbursements
Accounts Payable Management

Also see


By MW on 17th May 2017:

I believe the video by the EBF puts it right to the point.
AISPs (and even more critical PISPs) currently require their customers to give them their bank access data and the access to the bank account happens without identifying who is actually acting. Which is also why the customer themselves would (and should) be liable for any wrongdoing / abuse by the AISP or PISP.
While it is debatable in general whether PSPs really should be forced to make their systems accessible for AISPs or PISPs (without remuneration!), if one comes to the conclusion that this is wanted (and the European authorities obviously decided this way), then at least a secure method (the APIs required by the PSD2) must be used which clearly identifies all parties involved.

Add a comment