domingo, julio 09, 2017

Undemonizing Screen-Scraping (Or why Screen-Scraping matters)

Flickr Website  Extreme macro picture of the white background of a website. By Paskal under a creative commons license.



One of the most controversial questions about the implementation of PSD2 seems to be the question of Screen-Scraping. In fact, the European Banking Authority, the institution tasked by the PSD2 to build the Regulatory Technical Standards that make "Open Banking" possible, proposed the following working definition of screen-scraping: 

"a way for the PISP to access the customer’s online account by pretending to be that customer, often using advanced robot technology." 

Wow. What a telling assertion. It is phenomenal because it shows the inherent bias in the discussion about the viability of Screen-Scraping under PSD2. Some rabble-rousers might even suggest that this working definition proposed by the EBA confirms that the latter has paid too much attention to the market incumbents who have a vested interest in advancing a certain demonized notion of Screen-Scraping and very little attention to the innovators whose business models and interests are aligned with the openness ideals enshrined in the PSD2 . It is the European Banking Authority after all, some have said. 

So let's indulge the rabble-rousers and take a closer look at the definition proposed by the EBA and the issues that it brings about:

Firstly, it presents Screen-scraping as a technology that is only used by PISPs, seemingly oblivious to the fact that this technology is also particularly important to companies that engage in the business of Account Aggregation. As a matter of fact, the companies that the PSD2 has now come to baptize as AISPs have been using this kind of technology for their business for a long time, mainly because screen-scraping is not much more than the process of "collecting screen display data from one application and translating it so that another application can display it" (Techopedia). 

It is important to note that in the absence of the Bank APIs that have been heralded after PSD2, there were very little options for the companies who operated as Aggregators of Account Information but to collect human-readable screen display data, parse it and convert into the format that was most useful to their clients. I am no expert in the technology, but even Wikipedia suggests that the technique can be as simple as "capturing the bitmap data from the screen and running it through an OCR engine", which sounds simple enough even for the uninitiated and has nothing to do with PISPs because the notion of PISP is an artificial construct created in the policy discourse of the PSD2. In fact, I guess it is plausible to think of the notion of Payment Initiation Services as a name given to a particular activity carried out by certain companies like Sofort or perhaps as a certain legal term to address a defining aspect of the business model of the Soforts of this world: The initiation of Payments from a given end-user account held at a financial institution who is a third-party to the institution initiating the Payment. 

The underlying problem is therefore that the EBA definition fails to account for the full complexity of the phenomenon it intends to regulate and betrays the principle of "Business-Model Neutrality" that is mandated by Article 98. 2 (d) of the PSD2. In fact, it assumes that Screen-Scraping is constrained to a business model and (hopefully inadvertently) fails to see the importance of the technology for Account Aggregators that soon will become AISPs. 

In my view, the narrow regulatory vision that this definition betrays should be enough grounds for the European Commission to reject the RTS as it stands, but I would argue that there are more and perhaps even more alarming reasons to do so and that the definition of Screen-Scraping proposed by the EBA makes them very apparent. 

In fact, The Second issue with the definition is not only that it is flat-out wrong but also that it is suspiciously wrong. And I say that it is suspiciously wrong because the actual technique of Screen-Scraping is very different to what the EBA has proposed in its definition and because this mismatch between the actual characteristics of the technology and the definition of the EBA is so patently obvious. It took me two clicks to get to this description of Screen-Scraping in the Techopedia and two clicks to get to this other one in the Wikipedia. Screen-Scraping is not really the most obscure of concepts, it doesn't take a panel of experts to get a basic grasp of it.

However, after a public consultation process that was full of expert commentary, the EBA has embraced the wrong definition and not just a randomly wrong definition but a definition that very closely resembles the demonized picture that certain pundits and market incumbents have painted of Screen Scraping. In particular, please note that the definition proposed by the EBA concocts a technique to capture and present data (screen-scraping) with the act of impersonating an account-holder or, to quote directly from the RTS, with the act of a PISP accessing a customer's online account "pretending to be that customer". 

What a diabolically perfect definition that is. What a PR triumph. In reality, it is nothing but the preferred vision of the obdurate interests that managed to get a hold of public discourse and mislead public policy. No policy-maker in full exercise of its capacities would vouch for an account access method that is based on impersonating account holders. 

It is not a secret that banks have been advancing this view of Screen-Scraping since they first saw it as threat and that they have done an extremely good job at cementing it in the public discourse as the pervasive portrait of Screen-Scraping. I have been so painfully aware of this effort for the past two years that whenever anyone in the Account Aggregation space asked me about how to deal with the Screen-Scraping question I tended to suggest: Please emphasize that you are an account aggregator and that screen-scraping is simply one way in which you can do the job that your clients have entrusted you to do. 

Again, that is what Screen-Scraping really is: One of the many ways in which account-aggregation can be done. It is not (as the EBA suggests in its definition) an account access method that presupposes the impersonation of account-holders, so it is not far-fetched to say that the EBA has made an unacceptable exception to the principle of technological neutrality by deciding to reject this specific technology under a mischaracterization, that is, by attributing a specific abhorrent false characteristic to it. 

In the interest of intellectual honesty, it is important to say that many Account Aggregators-soon-to-be-AISPS have typically engaged in a practice that is very easy to mischaracterize as "impersonation". And this is where the PR battle was won by the banks since the very beginning. In fact, what many Account Aggregators and PISPs do is that they set-up authentication interfaces that prompt account-holders for their personalized online banking credentials. These interfaces typically take the form of widgets into which the account-holder is effectively requested to type her online banking credentials. 

Here is a good example from Sofort: 




What happens after the account-holder has provided his authentication credentials is that a machine operated by the Account Aggregator or PISP logs-in to the online banking infrastructure of the Account-Holder's bank (or e-money institution) on behalf of the Account-Holder and carries out certain actions that are expressly mandated (and consented) by the Account-Holder. This is effectively how Sofort manages to initiate payments from accounts held at all major banks: by initiating the same process that goes on with an account-holder receiving a TAN on her cellphone and typing it into a web-interface. For account aggregators, the risk profile of this particular process is greatly diminished by the fact that they do not initiate transactions but simply skim (scrape) the data presented for human-reading in the online banking interface and convert it into the format instructed by the Account-Holder. (There is typically no need for the account-holder to type its TAN into the Account Aggregator's web-interface). 

The issue that the bank PR savants seem to have exploited is that this exchange of credentials occurs by means of user interfaces located outside of the infrastructure and control of the banks, so they have insisted in portraying the process I described above as one in which a very dubious company induces very valuable bank customers to disclose their sacred credentials and then uses those credentials to impersonate said customers with the goal of initiating all kinds of risky transactions in their accounts. 

Smart. Incredibly smart PR. But the PSD2 mandated the EBA to look beyond the PR discourse and bring about a set of regulatory technical standards that uphold all of the directive's beautiful ideals of openness while remaining both technologically and business-model neutral. Most importantly, the PSD2 has mandated the EBA to uphold a very important new right in the acquis, very eloquently phrased in Art. 67.1 of the directive: 

Member States shall ensure that a payment service user has the right to make use of services enabling access to payment account information as referred to in point (8) of Annex I. 

Under such a grandiose mandate, the least a European Citizen can expect from the EBA is a thorough understanding of the phenomena and technologies that it intends to regulate. The least a European citizen can expect from the EBA is that it sees through the PR discourse and realizes that its working definition of Screen-Scraping concocts two distinctly separate technological phenomena: A technique used to collect and present data (screen-scraping) and an issue of secure authentication. An EBA that was free from the pressure of the obdurate PR cloud would have easily seen this difference and would have not flat-out prohibited a technique for collecting and presenting data by assimilating it to a certain authentication problematique that is, by the way, arguably solved by having the banks build their own authentication APIs. This might be the interface the PSD2 actually needs for its succesful implementation: A bank-side authentication API that allows account-holders to safely grant access to AISPs and PISPs to their accounts without putting their credentials at unnecessary risk. 

But why go to such lengths? Why is it so important to preserve Screen-Scraping at least (as the European Commision has suggested) as a fall-back option? Well, I don't want to advance any conspiracy theories, but it is no coincidence that the ones whose interests are anchored in the past (Please read: the banks) have gone to such extreme measures to demonize Screen-Scraping. 

The reason they have done so is that Screen-Scraping is really the one technology that puts the account-holders in a position to exercise almost unrestricted ownership of their banking data. In fact, this technology effectively challenges like no other the unquestioned monopoly that the banks have over the data of its account-holders and most drastically opens the door for innovation and disruption. 

If the banks get their way, they would prefer to be the ones building APIs that determine what data is available, how is it available and most importantly, when and how fast is it available. They would prefer not to open the door for disruption, which is a stance that entails closing the door to screen-scraping. In a world where immediacy and convenience and ease-of-use are such important customer propositions, a poorly implemented or faulty bank API could result in tremendous business disruptions for AISPs and PISPs. Can you imagine what would happen to Sofort if it regularly starts asking its end-users to wait a few minutes until the Bank API responds prior to initiating a payment? 

Well, the fact of the matter is that the banks have very little incentives to build the APIs that AISPs and PISPs need for providing great customer experiences. On the contrary, they have incentives to discourage their users from abandoning their technological ecosystem in favor of the payment services of third parties. So: Why did the EBA decide to leave AISPs and PISPs at the mercy of the banks? Isn't its mandate to actually foster innovation? 

EBA's response to this line of questioning would induce a small seizure of joy into any libertarian thinker looking for easy vindication. Their response is a "four-fold alternative approach" that promises supervision and supervision and more supervision: 

  • "a requirement for ASPSPs (please read this as banks) to define transparent key performance indicators and abide by at least the same service level targets as for the customer interface, regarding both the availability and the performance of the interface, as well as qualitative measures to assess whether or not they are doing so (Article 31(2));
  • a requirement for PSPs to monitor and publish their availability and performance data on a quarterly basis (Article 31(3));
  •  a requirement for ASPSPs to make the interfaces available for testing at least three months before the application date of the RTS (Articles 29(3) and 29(5)); and a review of the functioning of the interfaces as part of the review planned for 18 months after the application of the RTS under Article 36, to ensure information access and sharing is working as intended."
Don't get me wrong: all of that sounds very beautiful, but the libertarian that (unfortunately) we all carry within us is compelled to ask: How is this laser-focused supervision going to be carried out at the member state level and how do we ensure that all banks are effectively in the scope of same?

Unless the EBA provides a very good answer to those questions, it is safe to assume that their "four-fold alternative approach" is a perfect regulatory stance for fantasia, a continent where regulators have unlimited resources and are so tech-savvy that they can review the functioning interfaces (the APIs) of all banks from Portugal to Bulgaria. 

But wait, this is Europe, not fantasia. In Europe, the banks have realized that they prefer not to give away their data so easily and banking regulators are very busy keeping us safe from the next economic debacle. The idea that the EBA can live up to its role of ensuring that the banks play by the rules by carrying out increased oversight is a beautiful idea that we should put to the test before we embrace it at the risk of endangering the succesful implementation of the PSD2. 

It is therefore very important that the Fintech world applauds and stands by the decision of the European Commision to challenge the EBA's "Screen-scraping ban". 

Anyone committed to the future of fin-tech should echo the Commision's call to keep Screen-Scraping at least as a fall-back option. We need to make sure that we have some aces under our sleeve in case the banks decide to play too smart. 

Disclaimer: The opinions expressed by the author in this post are strictly personal and do not reflect the official position of the Kreditech Group. Any law-suit threats, hate-mail or angry rebuttals in response to this text are ideally to be addressed to the author directly, in the comments. :)







No hay comentarios.:

Publicar un comentario

Su comentario aquí: