EBF statement on EU Commission position on EBA RTS for PSD2

Published 02.06.2017

EBF underlines importance of privacy and security under the second EU Payment Services Directive (PSD2).

In the context of the PSD2, the EBF would like to underline that banks in the European Union fully support the creation of an efficient and effective EU ecosystem of interoperable interfaces for secure and reliable communication via the banks’ infrastructure between third-party payment service providers, known as TPPs, and clients.

Customers expect banks to protect their personal data. Data protection is at the core of trust in financial institutions. That is why the EBF, taking note of the European Commission’s response to the European Banking Authority (EBA) on its regulatory and technical standards for strong customer authentication under PSD2, would like to reiterate its concerns over the consequences of the amendment proposed by the European Commission.

Even though TPPs would have to identify themselves towards banks, they would still have access, at minima, to all the balances of all the accounts held by clients when clients pay on the internet through the existing practice known as ‘screen scraping’. The privacy of client data, cybersecurity and innovation are all at risk if ‘screen-scraping’ is allowed to continue once PSD2 enters into force next year. Clients must be able to choose which account data they want to share with payment service providers and which not. When a TPP accesses consumer accounts via ‘screen scraping’ services, even when identifying themselves to a bank, consumers are still not able to contain this TPP access to their account information, thus endangering the privacy of their data.

Banks instead favour an EU ecosystem for third-party access to consumer account data that is secure, reliable and interoperable, either through introducing Application Programming Interfaces, or APIs, or by upgrading existing bank interfaces. Only thus can TPP access be contained to only the data for which the consumer has given explicit consent. Such new and innovative financial technology would ensure compliance with the EU’s new privacy requirements under the General Data Protection Regulation (GDPR) that enters into force in May 2018. Banks in several EU Member States have already developed sector-wide APIs for third-party access to client accounts.

The author of this article is solely responsible for the content published.


Association des Banques et Banquiers, Luxembourg


12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.