Both TPPs and FIs have choices during their implementation of PSD2. Depending on circumstances, an FI may have to support both an API route and a screen-scraping route for TPPs to access the FI’s core banking services. Konsentus enables the FIs to carry out essential checks against the TPPs’ regulated status in both circumstances.
The TPP must identify themselves to the FI and this must be the same as the TPP would use via the API.
Screen-scraping services will not use eIDAS certificates, meaning the FI will not be able to automatically verify the identity of the TPP. This presents a problem to the FI and a potential risk.
The required strong customer authentication will enable the FI to validate the account holder’s intention, but will not validate the regulatory status of the TPP.
Konsentus will receive (from the FI) the identity supplied by the TPP.
The Konsentus platform provides the following services:
Screen scraping is allowed, but…
The regulations impose a requirement that TPPs identify themselves to the FIs when carrying out screen scraping and they must do this by using the exact same identification mechanism, as the one requested for a dedicated API interface (as is noted in Article 30.1(a)).
The RTS states (Article 30.5) that for a financial institution to be exempted from having to provide a contingency mechanism (such as allowing the web-based online interface for screen scraping), the dedicated interface (API) must be available for testing by TPPs (AISPs and PISPs) no later than six months before the RTS live date of September 14, 2019.