The directive requires “account servicing payment service providers” (such as banks) to ensure access and prepare an interface for providers of these new payment services. To this end, the directive introduced new types of payment services: payment initiation services, account information services, and the service of confirmation of the availability of funds in a payment account. The situation changed with adoption of PSD2, which sets forth rules regulating the delivery of services requiring access to the user’s account. This directly impacted the operations of many entities from the FinTech sector, which could no longer provide payment services based on screen scraping. Consequently, the overwhelming majority of banks and other institutions in Poland operating payment accounts attempted to block the use of this method. KNF communiqué on the risk from providing another bank with login data to a bank account and Recommendation on the security of payment transactions). Primarily for these reasons, the screen scraping method has been found by the Polish Financial Supervision Authority (KNF) to be highly risky, or even illegal (e.g. (A similar position on the dangers of screen scraping has been consistently presented by the European Banking Federation.) This could lead to infringements of personal data, unwanted profiling, and threats associated with the cybersecurity of the payment service providers’ IT systems. For example, these providers could determine the user’s exact earnings, his spending history, and indirectly even his purchasing preferences and life situation. Screen scraping thus essentially enabled payment service providers other than the user’s bank to obtain access to any data in the possession of the bank involving the specific customer. Anyone who sought to use such services thus had to provide login data to their bank account to an entirely alien entity, which would then enter the system and obtain the information by pretending to be the user.
But delivery of these services required the providers to obtain access to information about users’ payment accounts. The data obtained in this way may derive from various sources, such as websites displayed by a browser, computer programs, or mobile applications.īefore entry into force of PSD2, this method was largely used by payment service providers to give users information about their account balances at various banks in order to expedite the process of evaluating their credit capacity. Screen scraping is automated harvesting by a computer program of data presented in visual form, usually not adapted for machine reading. Both solutions are to a certain extent linked with the earlier known and controversial method of screen scraping. The duties connected with such access rest on the providers operating the accounts, which have a choice between creating a dedicated “application programming interface” (API) or upgrading their existing user interface system. One of the key changes launched by adoption of the revised Payment Services Directive (PSD2) was introduction of new types of payment services which require access to the user’s payment account using a type of interface defined in the regulations. The EU reform of the payment services sector is now entering the last straightaway.