Screen Scraping

Both TPPs and FIs have choices during their implementation of PSD2.  Depending on circumstances, an FI may have to support both an API route and a screen-scraping route for TPPs to access the FI’s core banking services.  Konsentus enables the FIs to carry out essential checks against the TPPs’ regulated status in both circumstances.

The TPP must identify themselves to the FI and this must be the same as the TPP would use via the API.

Screen-scraping services will not use eIDAS certificates, meaning the FI will not be able to automatically verify the identity of the TPP.  This presents a problem to the FI and a potential risk.

The required strong customer authentication will enable the FI to validate the account holder’s intention, but will not validate the regulatory status of the TPP.

Konsentus will receive (from the FI) the identity supplied by the TPP.

The Konsentus platform provides the following services:

  • Verify the TPPs regulated status, every time the TPP accesses the PSU account data, on the EBA Electronic Central Register repository and National Competent Authority daily bulletins.
  • Verify the TPP against the FI’s relevant scheme (e.g. UK Open Banking, STET etc.) to determine the TPP’s status, where appropriate.
  • Issue a secure access token to the TPP, via the FI, for access to the PSUs account(s) once verification and checking are satisfactorily completed.
  • Verify that the access token presented to access the PSUs account is valid and holds the correct “explicit consents” granted by the PSU.
  • Check the PSU has not revoked the TPPs access through the FI’s online banking application.
  • Reissue access tokens to TPPs when existing tokens have expired.
  • Konsentus will return the results to the FI.

Screen scraping is allowed, but…

  1. Screen scraping may be the primary interface – TPPs may wish to utilise screen scraping or FIs may want to avoid investing in an API. However, the TPP must identify themselves:

The regulations impose a requirement that TPPs identify themselves to the FIs when carrying out screen scraping and they must do this by using the exact same identification mechanism, as the one requested for a dedicated API interface (as is noted in Article 30.1(a)).

  1. Screen scraping may be used as the fall-back mechanism – An FI has to provide a contingency route in the event that the FI’s API is unavailable. However, the FI does not have to provide a screen scraping route:

The RTS states (Article 30.5) that for a financial institution to be exempted from having to provide a contingency mechanism (such as allowing the web-based online interface for screen scraping), the dedicated interface (API) must be available for testing by TPPs (AISPs and PISPs) no later than six months before the RTS live date of September 14, 2019.