PSD2: Another voice against screen scraping…and delays to final SCA RTS

Last week the Fast IDentity Online Alliance (FIDO), an international industry consortium for online authentication, published their letter to the European Council opposing the inclusion of a fall-back option for TPP access in the EBA RTS on strong customer authentication under PSD2.  The fall-back option, which was suggested by the European Commission in May, would allow TPPs to access ASPSPs' customer interfaces where the dedicated interfaces provided by the ASPSPs are not performing as required by the RTS.  Screen scraping, as it is often called, has been a point of contention between the EBA and the Commission, and with no clear answer on the horizon the Commission has recently announced that publication of its final position on the RTS will be delayed until early November 2017.

FIDO's letter firmly supports the EBA's position that the RTS should not allow for the continued use of screen scraping by TPPs.  However, FIDO accepts that a transition period may be required to allow some ASPSPs more time to establish their PSD2 compliant dedicated interfaces.

There are three key reasons why FIDO recommends that screen scraping should be kept out of the RTS:


1. Screen scraping undermines SCA

Allowing TPPs to access data via single-factor user-facing interfaces rather than APIs is not, according to FIDO, compatible with PSD2's aim to support strong customer authentication.  It claims that passwords are easy to exploit through, for example, phishing attacks, whereas APIs that use SCA based on global standards such as OAUth 2.0 and OpenID Connect coupled with device-based multi-factor authentication provide a much more secure system for customers.


2. Increased risks for consumers through conflicting advice

Recommending that customers share their passwords with TPPs may imply that sharing passwords in general with third parties is secure and normal. Customers may become more susceptible to phishing attacks or TPP databases may be hacked. In addition, government and industry advice has consistently maintained that customers should never share their passwords, and any exceptions to this policy would contradict and undermine the clear message.


3. Screen scraping prevents implementation of multi-factor authentication and Transaction Risk Analysis

Multi-factor authentication that involves a component that cannot be shared with a TPP is not compatible with screen scraping.  Passwords that change every minute or security credentials that are bound to a customer's device cannot be shared with TPPs, and so, according to FIDO, this security element would have to be switched off for TPPs to be able to use customer credentials.  Screen scraping also undermines Transaction Risk Analysis solutions that look at specific data points produced by a customer's device to evaluate whether the security credentials have been stolen.  When TPPs access a customer's account via the customer's credentials, they create login events that are not actually coming from the customer and may make Transaction Risk Analysis more difficult.

In practice, while APIs undoubtedly offer a more secure means of access, many of FIDO's concerns are already addressed by PSD2.  For example, even if a TPP were permitted to access via screen scraping, it would still need to use SCA in order to do so and those elements would not need to be switched off.  In addition, the TPP would be under regulatory obligations in relation to the credentials and data that it receives.


A transition period for screen scraping?

FIDO recognises that there are concerns that ASPSPs will not be able to provide compliant API-based interfaces in time for PSD2.  If, having assessed the readiness of ASPSPs, the Commission thinks that compliant APIs will not be available on time, the screen scraping fall-back option could be deployed. However, FIDO strongly recommends that this should be addressed through a policy exemption to the RTS that would allow screen scraping for a limited period (FIDO suggests 6-12 months) following the entry into force of the RTS. In FIDO's opinion, the fall-back option should not form part of the RTS because to do so would be to 'dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk'.

Unfortunately for banks and TPPs alike, the question of whether or not screen scraping will be allowed under PSD2, and if so to what extent, remains unresolved until the Commission reveals its final position on the RTS (hopefully in November).

For an overview of the respective positions of the European Commission and the EBA on the screen scraping issue, take a look at our blog post 'PSD2: EBA rejects Commission's SCA RTS amendments and screen scraping debate continues…'.

Share Back to main blog
Loading data