The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years. Both emanate from the European Commission, and both are aimed at consumer protection.
GDPR will bolster personal privacy for EU residents in a number of ways. The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses. GDPR will require that data processors obtain clear, unambiguous consent from each user for each use of user data. In the case of PSD2, this means banks and Third-Party Providers (TPPs). TPPs comprise Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). For more information, please see https://www.kuppingercole.com/report/lb72612.
Screen scraping has been in practice for many years, though it is widely known that this method is inherently insecure. In this context, screen scraping is used by TPPs to get access to customer data. Some FinTechs harvest usernames, email addresses, passwords, and account numbers to act on behalf of the users when interacting with banks and other FinTechs. This technique exposes users to additional risks, in that, their credentials are more likely to be misused and/or stored in more locations.
PSD2 will mandate the implementation of APIs by banks, for a more regular and safer way for TPPs to get account information and initiate payments. This is a significant step forward in scalability and security. However, the PSD2 Regulatory Technical Standards (RTS) published earlier this year left a screen scraping loophole for financial organizations who have not yet modernized their computing infrastructure to allow more secure access via APIs. The European Banking Authority (EBA) now rejects the presence of this insecure loophole: https://www.finextra.com/newsarticle/30772/eba-rejects-commission-amendments-on-screen-scraping-under-psd2.
KuppingerCole believes that the persistence of the screen scraping exception is bad for security, and therefore ultimately bad for business. The proliferation of TPPs expected after PSD2 along with the attention drawn to this glaring weakness almost ensures that it will be exploited, and perhaps frequently.
Furthermore, screen scraping implies that customer PII is being collected and used by TPPs. This insecure practice, then, by definition goes against the spirit of consumer protection embodied in GDPR and PSD2. Furthermore, GDPR calls for the principle of Security by Design, and a screen scraping exemption would contravene that. TPPs can obtain consent for the use of consumer PII, or have it covered contractually, but such a workaround is unnecessary if TPPs utilize PSD2 open banking APIs. An exemption in a directive should not lead to potential violations of a regulation.
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]