Right now, hundreds of apps across the globe are asking for bank credentials so that consumers can quickly get a mortgage, make a travel budget across multiple bank accounts or pay a friend’s bar bill.
The apps are not bank owned and their request for bank logins makes the guardians of the assets feel about as calm as a novice tightrope walker.
In Europe, banks and fintechs are squabbling over the future of this specific method, known as screen scraping as the deadline for PSD2 (a revised Payments Services Directive) nears and the technicalities for data-sharing are still getting hammered out. The fight offers a window on what's in store as the U.S. catches up to the way data will likely be shared as consumer habits change.
The European Banking Federation argues that screen scraping must die under PSD2, which demands banks invest in more modern data-sharing methods, for the sake of security. Fintechs argue the practice, which they call direct access, must survive to keep banks’ control of data in check. Both sides see innovation imperiled if things don’t go their way.
The European Commission, which manages the day-to-day operations of the European Union, is essentially in the middle. It is urging the banking authority to let companies use screen scraping as a backup option to other methods, like application programming interfaces.
The decision, which is expected to hit within weeks and manifest in the PSD2 Regulatory Technical Standards, is nothing short of determining how digital banking will work in the future. Ultimately, the European Parliament has to accept or reject the recommendation to outlaw screen scraping that was proposed by the European Banking Authority earlier this year.
“It’s crunch time,” said Ralf Ohlhausen, business development director at PPRO Financial Ltd, an electronic payments company. “We have to fight this out and go one way or the other or compromise.”
In the U.S, the Consumer Financial Protection Bureau is evaluating the myriad issues associated with data-sharing, while a handful of U.S. banks are moving ahead on developing APIs with individual technology companies and the Center for Financial Services Innovation is studying the potential collateral damage one-off data deals could cause. Although the U.S. does not yet have a PSD2 equivalent, it could.
But regardless of regulation, the EU battle shines a spotlight on a universal bank question: should screen scraping endure for an industry bound — and perhaps overdue — for an API makeover? The answer, of course, depends on who you ask.
Screen scraping ups the risk for phishing attacks. The responsibility for such hacks is murky. The practice can make for an unstable experience for the consumer. And it takes a toll on bank servers. Using APIs to move data largely solves those issues.
In other words, banks have good reason for their calls to end screen scraping. Gareth Lodge, a senior analyst in Celent’s banking group, points out how banks can better guard the assets in an API model — an order required from another law, which has yet to take effect, in Europe: General Data Protection Regulation.
“It gets very murky, very quickly,” Lodge said. “APIs give much tighter control over flow of data. It doesn’t surprise me for this aspect alone on why wants would want to hold on screen scraping.”
However, relying solely on APIs gives banks a tremendous amount of power in deciding what data an app can pull. To some, that sets the stage for less competition and defeats the point of PSD2.
Ohlhausen said he’s not optimistic about the quality of API a bank would offer. A bank as the technological gatekeeper, as he put it is, like “the fox guarding the henhouse.”
If the E.U. outlaws screen scraping, he expects a PSD3 will hit to remedy the mistake on regulation designed to inspire competition.
If this sounds confusing and complex, you’re right. It is.
“It’s not one simple thing,” Lodge said.
And there is even more to it. Some countries already outlaw screen scraping. Some banks’ terms and conditions caution consumers they are on the hook if they pass out their bank credentials to outsiders. There are various motives at play. For instance, banks can charge vendors for using their APIs but vendors may struggle to build connections with individual banks if screen scraping does not endure.
What happens to innovation is a particularly interesting part of the debate.
Some believe the trade off of sacrificing screen scraping in order to motivate banks to embrace APIs is likely worth it. Many other industries, after all, already operate off of APIs while only a handful of banks have embraced the model that has the potential to produce better banking products.
“Banning screen scraping would force banks to do things they should have done 10 years ago,” said Lodge.
“In the short term, [innovation] might lose out,” he said, because outlawing screen scraping would render some fintech business models as they currently stand obsolete.
“Longer term, we should all benefit — including fintechs.”
The European Banking Federation, which asked the European Commission to preserve a proposed ban on screen scraping and released a video on it in recent weeks, also says outlawing the dated method would bode well for new development.
“The development of PSD2 can be compared to designing a new plane. You develop highly secure, innovative and sophisticated systems to make it fly,” Wim Mijs, the banking federation's CEO, said in a press release. “But what happens now, in the final development stages, is that the designers are required to put a heavy diesel generator on board. This plane then becomes too heavy to fly. If banks are forced to accept screen scraping, then PSD2 will never fly the way it was intended.”
Technologists, however, see this as a misplaced metaphor.
Brandon Dewitt, chief technology officer at MX, offers a different analogy: When hybrids and electric cars came out, the government did not ban gasoline vehicles.
“It won’t happen overnight by saying this is mandatory and that’s illegal,” Dewitt said. “In every innovation, there is transition period as trust gets established.”
Certainly, he is no fan of screen scraping as a technologist. “You would always want another means of getting at the data than screen scraping it,” Dewitt said.
But the fastest way to get rid of screen scraping is not to outlaw it, but for everyone to acknowledge the data belongs to the consumers and to offer something better.
Zach Perret, co-founder of Plaid, which builds APIs for banks and screen scrapes data, has his own analogy.
“Banning screen scraping is like banning mail because email exists,” Perret said.
In the U.S., Perret said, such a move would be a major disadvantage for the thousands of smaller and regional banks because relying solely on APIs would mean they would need to invest in newer technology.
That’s why U.S. banks ought to take the opportunity to learn from what is happening in Europe, observers say, because they may eventually need to seek answers to a very hard question with many shades of gray.
“The U.S. is in a fortunate position to see what works and what doesn’t,” Perret said.
Nevertheless, some industry observers are firm that the API bank model is inevitable.
“APIs power the digital world,” said Kristin Moyer, a research vice president and distinguished analyst at Gartner.