Account Information Services Providers have an extra layer of special regulation from the FCA, which means a company can use a bank's APIs rather than just simply screen scraping.
All banks must provide their APIs by September 2019, and the UK’s nine biggest banks and building societies – the CMA9 – must have their APIs ready to go by April 2018. Meanwhile, until an API is available for AISP third parties, banks must allow screen-scraping by ‘grandfathered’ third parties only.
And since APIs only currently apply to current accounts in the CMA9, AISP regulated third parties are allowed to screen scrape other data for accounts such as loans, mortgages, credit cards or savings accounts with the same level of security and coverage in the unlikely event that things go wrong, the same as if the third party uses an API. This means, that no matter what, your bank is still responsible for your money and accounts in the highly unlikely event that things go wrong with Lumio, as the FCA has given us AISP permissions.
Bear in mind, too, that not everyone who applies to be AISP regulated gets approved. Third parties need to have strict internal and external security procedures and frameworks in place, and to meet the very latest customer authentication models. For instance, at Lumio we had to provide extensive detail of our security protocols, such as our compliance with ISO-27001 information security procedures, and our use of the OAuth 2.0 and OpenID Connect standards to enable token based authorisation for all our internal services, ensuring that we don’t rely on perimeter security alone. These are just two examples of the lengths required to become AISP approved, and what is needed to have a realistic opportunity of gaining AISP regulatory approval. Some third parties in the market today that are screen-scraping accounts have already been rejected, and the FCA has said it only expects to see 15-20 companies with AISP regulations in the UK.