Marten Nelson, Co-Founder and CMO, Token
Let’s work backwards. Most banks know that the final deadline to comply with PSD2’s Regulatory Technical Standard (RTS) is 14th September 2019. Eleven months away.
Following the amendments to the RTS, however (based on industry consultation and lobbying from third party providers), there is another deadline for banks to negotiate, which is much sooner and far less talked about: March 14th, 2019.
By then, banks must have their ‘dedicated interface’ (open API) ready for testing by PISPs and AISPs. Article 33.6 of the RTS states that banks which aren’t ready for testing by this time must instead provide a ‘contingency mechanism’ which, for most, will mean formalising their maintenance of a web-based online or mobile interface for TPP screen scraping.
This route has negative implications for banks. But because most third parties think that screen scraping will make their lives easier, TPPs tend not to talk about the downsides.
To begin with, screen scraping poses a significant security risk: it means the security credentials of banks’ customers are shared with third parties who, if breached, could compromise all their customers’ online or mobile banking facilities.
Secondly, maintaining two (or more) interfaces drastically increases costs for the bank; each interface will require strict and ongoing monitoring and reporting to their local competent authority. For tier two banks, challenger banks and foreign banks in the UK, all of which are resource-stretched, this will further compound the serious RTS compliance burden that already includes delivering secure customer authentication, managing exemptions, identifying and managing TPPs, developing the testing sandbox, creating documentation etc.
Overall, it makes by far the most sense for banks to focus on supporting one, secure, RTS compliant open API. Especially when time is such a factor: there really isn’t much of it available before March next year.
As is so often the case, partnership holds the key. Dedicated, specialist third parties have created platforms that address these issues already, by providing a single API overlay and full developer support for TPP connections and testing. Crucially, for smaller banks, they can also lower total cost of ownership by 70% compared to inhouse development, and implement in just 90 days.
Screen scraping and other interface shortcuts are not in the interests of banks, or their customers. Banks don’t need to allow their systems and operations to be compromised simply because a regulatory deadline is looming.