I wouldn’t claim to be an expert on this area but while we’re waiting to see whether Monzo has a response to this, here’s my thoughts.
The issue that these FinTech start-ups are complaining about is proposed changes to the regulations which would prevent them from doing screen scrapes of bank’s websites.
In the complaint that’s quoted in Chris’ blog, they say that
Direct Access is a secure technology that has been used for the last 15 years by both European Fintechs and Banks to provide AIS and PIS services to millions of consumers. With several hundreds of millions of successfully initiated payment and aggregation services provided, there hasn’t been, until this day, one single documented incident of data fraud or compromise of personal credentials.
but it doesn’t seem like a huge stretch to imagine that a 3rd party storing & using a customer’s credentials, in order to log into their bank’s online banking account on their behalf, may not be the most secure way to handle access to their data.
It’s certainly very different from one of the examples of a use of screen scraping that they mention
Online travel: Search and provision of travel options from multiple different providers through one interface
which is accessing public data.
On the other hand, the introduction of the Open Banking Standard which Monzo are fans of (or at least, they were back in Feb 2016), should enable aggregators to access customer’s data from bank’s APIs through a secure protocol like oAuth2.
Chris points out that the banks probably won’t make access to customer’s data easy. And obviously this data would be formatted differently & there would be work involved in retrieving it so I assume that, the cost & time implications are a significant motivation for this complaint. But in my - not so expert - opinion, using oAuth2 seems like a more secure approach & I can’t see why aggregators wouldn’t be able to pull the data from the APIs instead.
Monzo aren’t screen scraping customer’s data from their legacy bank’s bank accounts & as far as I know, they haven’t mentioned that they have any plans to aggregate their legacy bank data. But if they did, I expect they’d retrieve it from these new open APIs - rather than screen scraping - so I don’t see any reason why they’d be bothered by the changes that’re being proposed for this regulation.
Since Monzo’s API will be open anyway, I wouldn’t have thought that PSD2 will cause major issues either.
But I could be overlooking something here what’re your thoughts on this?