Conversations are ongoing between the European Commission (EC) and the European Banking Authority (EBA) around the Regulatory Technical Standard (RTS) for Strong Customer Authentication (SCA) under the Payment Services Directive 2 (PSD2), specifically with regards to “screen scraping”.
Screen scraping is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on a client’s behalf using their username and password. The practice was prohibited in the EBA’s final draft RTS, however, following a strong push back from banks, the EC is now urging the EBA to allow companies to use screen scraping as a “fallback option”.
The FIDO Alliance* recently wrote to the EC setting out the key problems with endorsing screen scraping. It argued that any approach where consumers are asked to share their login details with another entity is fundamentally at odds with language in the PSD2 and that it ultimately places consumers at increased risk. The most secure and efficient way for consumers to authorise third parties to access bank accounts today is through the use of Application Programming Interfaces (APIs), authorised by means of unphishable strong customer authentication i.e. credentials based on public key cryptography as opposed to passwords, which are inherently vulnerable.
Brett McDowell, executive director of the FIDO Alliance*, has since made the following comments in a blog post on this topic.
“We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials. Based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), these API-based solutions have the added benefit of providing not just better security but also better privacy – as they allow consumers to grant access to their bank accounts on a granular level, choosing to share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easy for consumers to use than typing codes into a form.”