PSD2: What you need to know about Screen Scraping and API’s
Written by Yapily · February 28th, 2020
A PSD2 deadline is fast-approaching - and while it’s focused on making payments more safe and secure throughout Europe - it has raised questions on data access and the impact it has on consumers and businesses.
Here we explain the background and different approaches to data access.
1. Why do companies want to access my bank data?
Banks are trusted holders of personal customer information. So as more service providers are entering the market, they require access to bank data to provide the most affordable, efficient and bespoke financial products and services.
Consumers and businesses use these services everyday, often via smartphone apps, to allow access to bank data in return to make their lives easier. Some examples of this are:
- Payments — one-click shopping experiences, splitting bills with friends;
- Money management — spending tracker, round ups, automated invoicing;
- Loan advice — calculate real-time affordability, mortgage decisions
2. How do third party providers access my bank data?
You give permission for a third party to access your data - often through an app or website. They let you select your bank and after a few steps, the provider will access your data using one of two approaches - Screen Scraping or API’s.
3. What is the difference between Screen Scraping and API’s?
Screen Scraping is a data-access method that logs into your bank account using your personal banking username and password as “if they were you”.
An Application Programming Interface (API) is your bank’s own dedicated interface that allows you to share data without sharing your bank credentials and, most importantly, allows you to control what data is shared and for how long.
4. How do I know if I’m giving permission to a Screen Scraper or an API-enabled provider?
This can be understood through how you are asked for bank data permission.
To enable data access via Screen Scraping, service providers will direct you to a screen that looks like your bank (but the domain name is different) and asks you to share your bank login details.
To enable data access via the bank’s dedicated API, services need your “informed consent”. You are informed about the level of data requested before you are transferred to your banks website and provide permission. An API directs you through a secure journey, using your Bank's website, and you are NOT asked to share your bank credentials with anyone.
5. How much control do I have over these access methods?
Screen Scraping has unlimited access to your bank account. Using your login details, providers are able to access your data as often as they need to. Screen scraping can read and share information without the user knowing, meaning the user has a lack of visibility into which companies have access to their data permissions.
Using APIs provides a much safer and transparent way of accessing data. Your bank ensures service providers can access only the information you decide and only for a time period you set. You will be able to discontinue or cancel permission via the bank app or website. You and your bank can control the identities of services that access your data.
The European Commission mandates the banks to create API's and prohibits the use of the Screen Scraping
6. What about data security?
Unfortunately screen scraping isn’t a secure method for accessing data. In the event of a data breach, the only action is to change your password. In the unfortunate event that this happens, use a strong password suggested by Google Password Generator.
However using an API, your consent allows service providers to receive an access token. In case of a breach, you, your bank or your provider can revoke access and the token is instantly invalidated.
7. Are these data access methods regulated?
Screen Scraping is not a regulated solution, meaning anyone can launch this type of application to capture sensitive information. Accessing bank account information or initiating payments via an API are regulated activities so the third party provider will be vetted and confirmed as a legitimate company.
8. What triggered the data access debate?
There were concerns around data privacy, particularly to sensitive information. The European Commission mandates the banks to create dedicated interfaces (APIs) and prohibits the use of the Screen Scraping technique. This is seconded by the FCA - the UK regulator - who believe that data sharing must happen over dedicated bank APIs and therefore should not require Screen Scraping by service providers.
Additionally, the General Data Protection Regulation (GDPR) states that sensitive data should be managed in a certain way but once a consumer gives away bank credentials, the screen scraper has unlimited access to all banking data.
The goal for PSD2 is about empowering innovation, in a secure way, to make financial services better and cheaper for everyone. We look forward to seeing positive steps towards a safer digital world!