The condition of the bank's APIs before a bit more than thirty days before the transition to open banking is not ideal. The banks are worried, the providers of API connections are worried and their clients are also worried. However, if you analyze scenarios that can happen after September 14, you will find only one conclusion - clients have no reasons to be concerned.
According to scenario planned by the European Commission (adopted in PSD2 Directive) on September 14, banks are required to provide APIs that will allow licensed TPPs to gain access to customer accounts or make payments on their behalf. This mechanism enables the provision of services based on financial data.
The strength of the mechanism is simple and has already been described multiple times as the effects of open banking implementation. In the case of the AIS (eng. Account Information Services), the customer confirms the consent to access the account data by logging into his bank account with all the security standards required by the Directive. TPP collects data from the account through connection via API. There is no sharing of access data. There is no room for doubt about security issues. Fast, efficient, easy to use process enabling access to financial data.
However, there is a factor that can stand in the way of smooth provision of services based on the acquired data - banking APIs quality. If there will be some breaks in operation, technical problems or, in extreme cases, API will not be available the quality of services will be disturbed and clients' trust and the whole idea of open banking may be undermined. But there is an option to be secured on this eventuality - a fallback mechanism is coming to the rescue.
The fallback mechanism is an emergency exit that can be used when the banking API is unavailable. It consists of enabling direct access to the account via technology already known on the market - screen scraping.
Of course, screen scraping (a solution that allows you to view customer accounts after direct logging into his account) is a technology that still arouses reluctance. It has always aroused controversy regarding security. Why the emergence of this technology on the subject of the PSD2 directive, which one of the main assumptions is to increase the safety of users? PSD2 directive entirely regulates the use of this technology.
How is this possible? After September 14 according to law every entities using screen scraping need to use certificate to authenticate itself to the bank. So after September 14 we have a fully regulated path, and the most important – the user experience has no chance to be disturbed.
The scenario where services based on data from AIS will not be able to work has not a chance to become true, and business customers using banking APIs should not be worried about it - they have their API service provider's to handle this. PSD2 is a huge opportunity and problems with the API are only the implementation details of banks and suppliers, which should not have the least impact on the client's business. Regardless of the type of scenario to be used to access financial data, regardless of the condition of the API, continuity of services should be ensured, and their quality will depend on the quality of services provided by TPP and their readiness for both: connection via API and fallback mechanism.