'Screen scraping' ban under PSD2 on security grounds, EBA confirms

Screen scraping involves the use of software to automatically collect information from websites and systems. In the payments market, some payment initiation service providers (PISPs) and account information service providers (AISPs) rely on screen scraping as a means of accessing customer accounts so as to deliver services to those customers.

Earlier this week, however, EBA chair   Andrea Enria confirmed that screen scraping would be prohibited under new regulatory technical standards (RTS) the EBA would issue on strong customer authentication under the revised Payment Services Directive (PSD2). The EBA has now published the final standards on strong customer authentication (153-page / 1.33MB PDF) which confirms the ban on screen scraping and the reasons for it.

"The EBA interprets the security requirements under PSD2 as meaning that the TPPs (third party providers) will no longer be able to screen scrape," the EBA said. "The EBA understands screen scraping as a way for the PISP to access the customer’s online account by pretending to be that customer, often using advanced robot technology. The EBA disagrees with the suggestion of some of the respondents that not allowing screen scraping would be against the principle of non-discrimination."

The security requirements under PSD2 include measures to ensure that the flow of data between account servicing PSPs (ASPSPs) and PISPs or AISPs is not subject to unauthorised access and to ensure customer authentication details are confidential.

To ensure that the ban on screen scraping does not restrict rights of access to payment account information by PISPs and AISPs, the EBA said ASPSPs will be required, to "ensure that the TPPs can access the information, and in particular the information they need to make a payment".

Under the final RTS, the PSPs will be obliged to put in place at least one communication interface through which PISPs and AISPs are able to access payment account information in line with their rights under PSD2.

The PSPs can facilitate the third party access through the same interfaces they use for engaging with customers, or through a separate "dedicated interface".

The EBA has revised its draft RTS to require that "the dedicated interface offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the payment service user for directly accessing its payment account online".

It said the new requirements would further address concerns about the impact the ban on screen scraping might have on third party rights of access to payment account information held by ASPSPs.

Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the shift away from screen scraping will be subject to time pressures in the UK as a result of Treasury proposals.

According to the Treasury plans for implementation of PSD2, the RTS on strong customer authentication would not be binding until 18 months after they have been finalised by the European Commission. However, the Treasury said that, account servicing PSPs "will be expected to provide access ... in line with the draft RTS wherever possible" from January 2018.

The EBA's final RTS are intended to provide greater detail on provisions contained with PSD2 which generally require PSPs to apply "strong customer authentication" where organisations or consumers try to access their payment accounts online, initiate an electronic payment transaction or "carries out any action through a remote channel which may imply a risk of payment fraud or other abuses".

According to the Directive, strong customer authentication is a mechanism that requires payment account holders wishing to access their accounts or make a payment to provide information that allows their identity to be verified and which is built on two or more independent factors. Those elements are something the account holder knows, something they possess or something inherent in them.

Previously, the EBA said that PSPs would not be able to rely on "behavioural data" as a means of authentication. However, it has changed its stance on that point in its final RTS "to ensure technology- and business-model neutrality".

As a result, the RTS "does not exclude [behavioural] data from being considered as an inherence element", it said.

Among the other changes in the EBA's final RTS is an amendment to one of the exceptions to strong customer authentication rules that the EBA had listed in its draft proposals. The EBA had proposed that the strong customer authentication protocols should apply to all remote payment transactions valued at over €10, subject to limited exceptions. However, that threshold has now been set at €30 in the final standards.

The EBA's RTS on strong customer authentication will now be submitted to the European Commission. The Commission has the power to adopt the new standards. The standards, if endorsed, would come into force 20 days after it is published in the Official Journal of the EU, but would not apply until 18 months after that date.

PSD2 was finalised by EU law makers in late 2015 and came into force in early 2016. The Directive needs to be implemented into national laws across the EU by 13 January 2018.