PSD2 RTS on secure communication and screen scraping

Context: “On 23 February, the European Banking Authority (EBA) announced its intention to outlaw screen scraping in one of their Regulatory Technical Standards (RTS) complementing the revised Payment Services Directive (PSD2), set to come into force in January 2018.”

Can you please describe what screen scraping is?

Screen or web scraping is the simply technology of machine-reading websites, an omnipresent and indispensable technology for finding information on the internet, used for example for price-comparison websites, online portals and search-engines such as Google. It has nothing to do with using someone else’s identity and simply constitutes the technical fact of extracting information from websites.

Screen scraping has been controversial for a long, and recently the European Banking Authority (EBA) declared its intention to outlaw screen scraping. What are the most important arguments in favour of and against screen scraping? Is the technology of screen scraping really controversial?

I don’t think so. In fact, it is the term screen scraping that leads to emotional rather than substantive debates. The technology, instead, is widely used and extremely safe. SOFORT and other fintech companies as well as the bank-owned AIS solutions rely on screen scraping for more than 10 years and have an outstanding security record. Moreover, it is a crucial technology to foster innovation and competition in the financial services industry and beyond. It empowers consumers to easily and safely share their financial data with trustworthy third party payment services providers (TPPs).

So, saying that screen scraping was outlawed by PSD2 would mean that the omnipresent technology of reading websites would be prohibited by PSD2, which is not the case. EBA itself explicitly says in Art. 27(2) draft EBA RTS that using the online-banking websites constitutes one option to provide a PSD2-compliant interface – this is screen scraping, as the content of the online-banking websites would be read by the TPP software. Hence, talk of a screen scraping ban is nonsensical and misleading.

What EBA actually refers to is the fact that PSD2 obliges TPPs to identify themselves towards banks. They can no longer contact a bank server without properly identifying themselves, see Art. 66 (3d) PSD2, and hence must not pretend to be a customer. This is correct, but it has nothing to do with screen scraping, which remains legal (under PSD2 and in general). As long as a TPP identifies itself, it may legally use screen scraping and machine-read websites – which is exactly what EBA proposed in its Art. 27 (2) draft RTS.

How will a ban on screen scraping influence banks, third party providers, and fintechs?

From our point of view, to talk about a ban on screen scraping is nonsensical and misleading (see argumentation above]. Most of the innovation in the European fintech industry is based on this technology. Our interpretation is that screen scraping will be allowed in combination with identification. More problematic for us is that EBA tried to make a political decision, giving the choice to opt for a dedicated interface or allow the direct access to banks and thus establishes a gatekeeper function for banks.

How will the ban on screen scraping affect merchants and consumers in Europe?

Giving banks the gatekeeper role to limit the access to the bank account will have the following consequences.

- It will lead to a reduction of competitiveness in the retail banking sector as highlighted by the German Federal Cartel Office as well as the US Customer protection agencies
- It´s in direct contrast to GDPR law on free data portability
- And will also restrict further innovation to the benefit of a fragmented banking industry and to the detriment of consumers and merchants.

About Georg Schardt

Georg Schardt, Managing Director of SOFORT GmbH, joined SOFORT in 2009. Prior to this, he was member of the Board of Conrad Electronic SE from 2000 to 2009. In this role he was responsible for the mail-order and ecommerce business. Together with his colleagues he developed SOFORT to one of the leading e-payment solutions in Europe with more than 30.000 merchants in 13 countries.

About SOFORT

SOFORT, with its payment system SOFORT, SOFORT Paycode and the Online Verification System SOFORT Ident, offers innovative products to ensure a secure purchasing of goods and digital products on the Internet. The company based in Munich (Germany) is part of the Klarna Group, the leading European payment provider. With its product SOFORT the company is the market leader among the direct transfer systems in Germany. Over 36,000 ecommerce shops handle more than four million transactions with SOFORT per month. Besides Germany, the services are available in Austria, Belgium, Czech Republic, France, Hungary, Italy, the Netherlands, Poland, Spain, Slovakia, Switzerland and the UK.