From 14.09.2019 third-party providers (in particular payment initiation service providers (PISPs) and account information service providers (AISPs)) will no longer be allowed to access customer interfaces using screen scraping as previously allowed, but instead will only be allowed to gain such access via interfaces that conform with PSD II, the Austrian Financial Market Authority (FMA) has announced.
PSD II defines two possible options for access by third-party providers:
Either the bank provides a separate (“dedicated”) interface for third-party providers, or it continues to permit access using the customer interface that has been adapted to conform to PSD II.
If a dedicated interface is established, it must be ensured as part of the contingency mechanism that third-party providers are able to access the normal customer interface in the event that the dedicated interface is not working.
Banks may however apply for an exemption from having to make this contingency mechanism available. The FMA will make a decision about such applications.
During the course of the evaluation of the applications as well as the complaints submitted by third-party providers it has emerged that deficiencies currently exist in implementation of dedicated interfaces, with the consequence that the legal requirements are not yet able to be fulfilled completely.
To date, the FMA has therefore not been able to approve an exemption of the provision of the contingency mechanism.
Since doubts also currently exist regarding the functioning of the contingency mechanism, in the interests of a seamless functioning of payment transactions shall continue to approve the access methods hitherto used by third-party providers until all technical difficulties for the banks have been duly rectified. The FMA therefore assumes that all existing problems will be promptly remedied, and that thereafter third-party providers will only use interfaces that conform to PSD II.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”