Would a ban on screen scraping stifle financial innovation?
PSDII. Five little digits that represent a world of opportunity – or a world of threat, depending on your perspective. Acclaimed as a piece of regulation that could revolutionise how consumers interact with financial services, one of the key opportunities offered by PSDII is around account aggregation. Customers with multiple accounts will be able to access them all in one place, with a single log in, and – theoretically – benefit from offers tailored towards their needs based on a wide understanding of their financial behaviours and product ownership.
Account aggregation isn’t new. Providers such as Money Dashboard and OnTrees have been playing in this space for years, letting customers link all their online banking accounts to a single platform where users can view categorisation and analysis of their overall spending habits, and – it’s hoped – use this insight to make better financial decisions.
In recent months, more players have entered the aggregation game – Facebook Messenger-based chatbot Cleo and Moven’s (new to the UK) mobile app, to name but a couple. Their platforms may differ, but one thing all the aggregators mentioned have in common is this: you have to give them your various bank account log in details so they can ‘scrape’ your balance and transaction details from each account – a methodology often dubbed ‘screen scraping’.
At a time when financial fraudsters are often innovating as quickly as security experts can keep up with, and the threat of cyber-attacks on your bank account are all too real, for many the idea of giving financial login details to a third party will feel at best uncomfortable, at worst a no-go. And concerns are understandable, when most bank terms and conditions warn customers that if they willingly disclose their account details to anyone, it is likely to leave them exposed in the event of fraud on their account.
How real is the risk of screen scraping?
But is this method of gaining access to users’ accounts really as risky as it might appear? Experts differ. In February, the European Banking Authority (EBA) confirmed that screen scraping data from banks and other financial organisations would be banned as part of the rules around strong customer authentication that will come into force as part of PSDII (though its standards must be endorsed by the European Commission before they can come into force). And, speaking at a techUK event attended by Mapa Research on PSD2 Authentication…the rumours, facts, challenges and solutions, Tom Hay – Head of Payments at Icon Solutions – said that screen scraping opens the possibility of social engineering attacks such as phishing.
Ralf Ohlhausen, Business Development Director at payments platform PPRO Financial Ltd, disagrees – his view is that sharing login details with reputable financial services companies is ‘perfectly secure’, provided that there is a strong regulator in place. He argues: ‘Such companies are regularly audited and must, by law, take all necessary technical, legal, and procedural steps to protect consumer data.’
APIs: a workable alternative to screen scraping?
The rules on PSDII will also require that banks and other financial organisations must facilitate ‘open banking’ by allowing other financial providers to access customer data – with the customer’s permission – through the use of APIs. If done well, access via APIs should streamline the process of gaining access to customer accounts, and will negate the need for customers to share login details.
And for Tom Hay, APIs are by far the preferred solution – he believes they offer a far more secure way for third parties to get access to customer’s bank account data than screen scraping.
But, Ohlhausen argues, is it really in banks’ interests to create high quality APIs that will only support their competition? Or is there a risk that, if left in the hands of banks, API developments could ‘lag behind changes to the way [a bank’s] accounts are structured or the way its online banking works.’ His view is that prohibiting the alternative – screen scraping – will stifle innovation.
PSDII should be seen as an opportunity, not a threat
Mapa analysts hope not. In our recent insight report on Personal Financial Management (PFM), Mapa expert Chris Ward notes that: ‘in facilitating third party services the legislation also presents a massive opportunity for incumbents to broaden their capacity to engage new customers.’ In other words, forward thinking banks will see the potential in the rules requiring them to open up their APIs, rather than viewing them as a threat, and look to succeed either by partnering with third parties or by developing high quality aggregation services themselves.
From a consumer perspective, the key expectations will be access to user-friendly and genuinely useful account aggregation services, combined with reassurances that they will be protected if something goes wrong. As long as these are in place, few will pay much attention to how the back-end works.
The onus will be on banks and on regulators to ensure that the burgeoning marketplace for innovation in account aggregation is stimulated, not stifled, by rules around PSDII.