Excursus – Why the EBA’s revised RTS on the XS2A interface might not be the best trade-off for the market
What EBA’s revised RTS stipulate with regard to the XS2A interface vs. screen scraping
With regard to the interface to be offered by banks under the PSD2 the revised Regulatory Technical Standards (RTS) stipulate the following:
- Banks are obliged to offer at least one interface for Third Party Providers (TPPs) to fulfill the right to XS2A (Access to Accounts).
- This means offering either a dedicated interface for TPP or providing access – in a PSD2 compliant way – to the interface used for identification and communication with the banks’ payment services users (what the EBA understands as direct access).
- The EBA derives from the PSD2 that the existing practice of screen scraping will no longer be allowed once the RTS apply (i.e. November 2018 at the earliest).
- After this period, TPPs can respond to an insufficient XS2A interface by bringing it to the attention of national authorities and by using alternative options to be provided by banks.
Is this the best possible trade-off between the PSD2 goals?
At first sight, this solution seems like an appropriate trade-off between the competing interests on hand. However, there might be unwelcome consequences, which the EBA did not foresee.
Understandably enough, banks welcome the EBA’s clarification in that regard. They have to be compliant with their communication obligations, i.e. have to check whether only regulated TPPs are using their XS2A interface. An obligation for TPPs to use an interface in control of the bank also means a better positioning for incumbents when it comes to the management of certain premium access services which are not covered by the XS2A right. However, as a consequence, banks have to fulfill quite a number of – in parts now stricter – requirements for the dedicated interface. This includes its availability, performance, support as well as contingency, monitoring and reporting measures. Banks will have to offer testing facilities. Moreover they will have to provide and describe alternative options, TPPs may make use of during an unplanned downtime of a dedicated interface. The pressure for banks has hence simultaneously increased. They have to build up compliant XS2A interfaces and meanwhile recognise and implement their own business opportunities until the RTS apply.
It must be stressed: TPPs also prefer the usage of smart interfaces rather than depending on cost-intensive and less reliable screen scraping techniques. API infrastructures are more secure, provide better performance and increase technical and business management opportunities. However, new TPPs, which were to be promoted by the PSD2 in order to foster innovation, now must to a large extent rely on the banks’ speed, open banking mindset and API strategies for the contingency and performance of their own fintech business models. After their formative experiences during the developments around PSD2, they are worried that banks as of late 2018 might use the RTS rules to impede and even kill what are nowadays still “PSD2-grandfathered” or other successful business models.
These concerns by the fintech industry especially refer to all use cases for open banking beyond the PSD2 scope. The EBA – as its mandate only covers payment accounts – ignores the potential downside of its decision on the overall open banking market. While conversely the EBA cannot ban screen scraping for products other than payment accounts, there is a more obvious regulatory loophole now. Examples would be new technologies based on XS2Brokerage or access to credit accounts. As access for these products is not yet protected by EU laws, a specific anti-level playing field and anti-innovation development might be a consequence of the EBA’s partial screen scraping ban. For the wrong reasons, national legislators might take the EBA’s step as a cause to (initially or further on) forbid screen scraping in a banking context in general. So without any balancing rules on a European level to protect existing and successful business models, fintech companies would only be able to rely on banks’ initiatives to offer premium access beyond PSD2. Consequently, banks could use any national bans to block their further API-services for TPPs and solely make them available for their own products. If so, any use cases which are not covered by PSD2 and rely on screen scraping today could then be killed or significantly hampered on national level. This could also have a disturbing effect on consumers – in particular, but not limited to, German users. They already highly appreciate established services beyond PSD2.
Even if APIs are the future, screen scraping has been a practice with enormous innovation capacity. Without it, the new payment initiation and account information services that PSD2 covers would not exist. It might have been smarter of the EBA to remain silent in that regard and rather stress that PSD2 does not prevent market participants making bilateral agreements and obtaining explicit customer consent on premium access to banking data beyond PSD2 limitations. The urgently needed and slowly growing cooperation between banking incumbents and the fintech industry would have been actively supported by the authority. This would have been a sustainable contribution to other EU objectives (see e.g. EC’s green paper on retail financial services), including the provision of a legally watertight basis for further open banking innovation and general economic growth for Europe. As a positive side effect a clear statement in that regard would have eventually overridden any non-constructive discussions about principles of the PSD2-scope that are no longer questionable after PSD2 entered into force in 2016.
Why this doesn’t matter – at least eventually
In the end though, if screen scraping is forbidden in single EU countries or banks use the RTS to build walls instead of smart API-bridges, I expect a much slower and demanding process for all parties involved, but eventually still the same result for the overall open banking market. As from a consumer perspective (considering their given data sovereignty and their future right to data portability coming in May 2018 with the General Data Protection Regulation) as well as from a competition law perspective, there is no reasonable ground for a legal discrimination of non-payment accounts. And all banks planning to decide what is best for their clients should bear in mind that the consumers define the market and will choose the smart banking services that appeal to them, especially in times of ingenious account change services. So let’s all take the shortcut for the benefit of all parties involved.