The latest twist in the ongoing row between banks and fintech companies over the future of customer data sharing under the revised Payment Services Directive (PSD2) comes courtesy of the European Banking Authority, which has rejected a proposed amendment to the rules from the European Commission that would have allowed for the continuation of screen scraping. Writing in response to the European Commission’s (EC) intention to amend the EBA’s draft Regulatory Technical Standards (RTS) the EBA voices its distaste for the political meddling.
“The EBA…is of the view that the suggested changes would negatively impact the fine trade-off previously found by the EBA in achieving the various competing objectives of the PSD2,” the oversight body writes.
The EBA published its final draft report in February 2017, following 18 months of intensive policy development work and consultation with the different payment market players. Having overcome previous industry objections to the implementation of over-onerous customer authentication standards, the published RTS also dropped an unexpected bomb shell in a commitment to outlaw screen scraping in favour of bank-led access to client data under APIs.
The suggestion caused an outcry among mature fintech startups, who have lobbied hard for a reversal of the decision, claiming that the reforms will provide banks with the means to control what data is shared, putting new entrants at a disadvantage.
The European Commission subsequently intervened on their behalf, asking the EBA not to ban screen scraping outright but to hold it in reverse as a back-up mechanism should bank interfaces fail to function properly.
This has led to a strong push back from banks, who claim that the amendments take no account of the burden of compliance and would jeopardise the privacy of client data, cybersecurity and innovation.
In response, the EBA has come down firmly on the side of the banks: “The EBA is of the view that imposing such a fallback requirement would go beyond the legal mandate given to the EBA under Article 97 PSD2. The EBA is also sceptical about the extent to which the proposed amendment would achieve the desired objectives and efficiently address market concerns. Indeed, the EBA has identified a number of risks that would arise were PSPs to implement the Commission’s proposal.”
Instead, the rule-marker has suggested a compromise entailing more rigorous checks and balances on bank APIs alongside a set of minimum performance and availability standards that would release compliant banks from the burden of providing a screen-scraping fall back.
“It is now for the EU Commission to make the final decision on the text of the RTS and to adopt the standards as a delegated Act in the Official Journal of the EU,” says the EBA. “During the adoption process, the EU Council and EU Parliament have a scrutiny right. Once the RTS have been published in the Official Journal, they will enter into force the following day and will apply 18 months after that date.”