As Pinsent Mason report in their briefing the FCA has given businesses scope to continue to rely on ‘screen scraping‘ for providing payment services for six months longer than previously anticipated.
Newtech.law asked and explored the legal question Can a user’s account be accessed through screen scraping?
As the term suggests screen scraping refers to achieving data integration through a simulated login and then reading data across the web as if that user. As such it’s not an ideal approach, especially from a security perspective, hence the move to address the situation.
Strong Customer Authentication
While an enhanced version of screen scraping has been proposed ‘Screenscraping+ (SS+)’, it is recommended that instead ‘SCA’ is adopted : Strong Customer Authentication.
The official term for SS+ is a ‘Modified Customer Interface’. The Co-operative’s Smile Bank explain their implementation in this guide. The WSBI explore the challenge in this blog, highlighting the call for a ‘fall back’ option to SS+.
As the FCA states:
From 14 September 2019, new rules apply that affect the way banks or other payment services providers check that the person requesting access to their account or trying to make a payment is the person permitted to make a payment and validate specific payment instructions.
They’ve delayed the roll out of the requirement as many businesses like e-commerce sites will find the transition challenging. At their request UK Finance has developed a detailed roll out plan.
In his Finextra blog Dmitrii Barbasura, CEO of Salt Edge who provide a SCA solution, explains the technical details of how these requirements can be catered for, describing a scenario of ‘TPP identification via non-dedicated PSD2 interfaces‘, walking through the mechanics of certificate exchange between client and server:
For the transition to a full SCA approach organizations such as the FIDO Alliance has taken an active role in helping European regulators and API design groups understand how standards-based, modern authentication can be used to deprecate today’s screen scraping practices while enabling a timely and secure migration to the open banking API model, explaining in this Paypers article:
New and improved methods of authentication are now available through open industry standards from the FIDO Alliance and W3C. Collectively known as FIDO Authentication, this innovative technology leverages on-device user verification such as the biometric capabilities on our mobile phones and combines this with interoperable protocols for strong cryptographic authentication.
Biometrics is a compelling proposition for banks and other financial services companies, due to their ability to perform without dependency on the user remembering or sharing a password, greatly enhancing customer security while improving the user’s authentication experience.
User Management System
Open Banking Europe offer this detailed paper which defines a complete implementation strategy for Account
Servicing Payment Services Providers (ASPSPs) to provide secure and controlled Access to Accounts (XS2A) Services to those Third Party Providers (TPPs) who want to offer the new Payment Services available in Europe under PSD2, covering Internet Security, Controlled Access and TPP Onboarding.
In particular it states a suggestion of a User Management System:
A User Management System (UMS) contains six important capabilities:
1. Generates an identity for specific TPPs and issues unique access credentials.
2. Assigns Access Rights to resources/scopes for each TPP by issuing further area-specific access credentials.
3. Retains a record of previously issued TPP access credentials.
4. Checks against the issued TPP access credentials record when a TPP returns, enabling authorised access.
5. Monitors/logs all TPP activity, including timestamps, areas accessed, and actions taken by the TPP for their own account.
6. Manages the access credentials and rights of a TPP, such as changes or removal.
Clearly these requirements will put considerable pressure on the industry but ultimately will drive a race to the top, a superior Open Banking product and much more rigorous security for users, greatly boosting end user perception of how trustworthy the practices are.
Visionary and ambitious pioneers can even leap ahead of the curve through embracing the cutting edge of Identity authentication systems notably ‘Self-Sovereign Identity’ aka Open Banking 3.0.