FIDO Urges Against Allowing Screen Scraping in PSD2

As the European Commission and the European Banking Authority consider the issue of screen scraping in the Payment Services Directive 2 (PSD2) regulations, the FIDO Alliance is arguing against the practice.

Screen scraping refers to the practice of allowing third parties to access users’ bank accounts using their username and password credentials. The EBA had sought to ban the practice in its Regulatory Technical Standard on Strong Consumer Authentication, but with subsequent resistance from certain FinTech firms — which in turn blame some banks for not being ready to embrace enhanced security methods — the EC is now asking the EBA to allow it as a fallback option.

In an open letter to the European Parliament and the European Commission, FIDO Alliance Executive Director Brett McDowell issued the Alliance’s concerns in detail, and then more bluntly, asserting, “we do not see any way in which the approach requested by the EC… can be implemented to the level of enhanced security called for in PSD2.” McDowell added, “Sharing passwords is simply a bad practice from a security perspective.”

FIDO’s proposed solution around this issue is to essentially give banks more time to comply with the new regulations, rather than building a screen scraping provision directly into the Regulatory Technical Standard itself. In the meantime, there’s a growing number of tech companies offering sophisticated security solutions such as multimodal biometric authentication to firms seeking to comply with PSD2, so there are plenty of options for banks besides screen scraping.