1 juni 2018
Access to payment account information seems the land of milk and honey. Imagine what a company could do with such information. The revised EU Payment Services Directive (PSD2) regulates account information services and providers of such services, the account information service providers or AISPs. But when do you qualify as an AISP?
What's new under PSD2?
PSD2 caters for the possibility of third party service providers having access to payment accounts held at other payment service providers, the so-called 'account servicing payment service providers' (ASPSPs, basically banks). In this regard, PSD2 makes a distinction between two types of services: payment initiation services and account information services.
Differences between payment initiation services and account information services?
A 'payment initiation service' (PIS) is a service to initiate a payment order with respect to a payment account held at another payment service provider. An ‘account information service’ (AIS) is an online service to provide consolidated information on one or more payment accounts with either another payment service provider or with more than one payment service provider.
Does a contract need to be in place in order to have account-access?
ASPSPs are - in principle - obliged to provide access to providers of PIS or AIS provided that the relevant payment accounts are accessible online and the third party service provider is duly authorised. Banks may not require contracts with the third party service provider in order to have account-access.
Which services are in scope of PSD2?
Parties who offer account information services may do so for (i) the account holder, (ii) for commercial purposes of the service provider itself and/or (iii) for commercial purposes of third parties. It is however questionable whether the last two forms of services fall within the scope of PSD2.
The definition of AIS does not, in itself, say anything about the recipient of the 'consolidated information'. On that basis, the recipient could therefore also be a third party. However, recital 28 PSD2 and the press release issued by the European Commission (EC) when the PSD2 was adopted seem to point in another direction.
Recital 28 PSD2 links AIS to information that the account holder can obtain himself. It explains AIS as services that provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus able to have an overall view of its financial situation immediately at any given moment. According to recital 28 PSD, those services should also be covered by PSD2 in order to provide consumers with adequate protection for their payment and account data as well as legal certainty about the status of AISPs.
In the press release, the EC says the following about AIS (question 19):
Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorise their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning.
This all could mean that an AISP may only provide the consolidated account information to the account holder and not use it for other (commercial) purposes. If the competent financial regulator concludes that an AISP has a different business model, it could be that the registration as an AISP be denied.
The UK financial regulator, the FCA, opted for a broader interpretation. In its document Our Approach, the FCA mentions the following examples. See Our Approach, p. 16:
- businesses that provide users with an electronic "dashboard" where they can view information from various payment accounts in a single place;
- businesses that use account data to provide users with personalised comparison services supported by the presentation of account information;
- businesses that, on a user's instruction, provide information from the user's various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies;
If my understanding of the position of the German financial regulator, BaFIN, is correct then BaFIN has the broadest interpretation. According to BaFin, it does not seem to matter who the recipient of the consolidated information is. With regard to paragraph 1(34) of the German Payment Act, in which AIS is defined, BaFIN notes shortly (translated) that services are included regardless of who the addressee of the communication is.
The scope of AIS thus raises a number of questions. The first question is whether there is also AIS within the meaning of the PSD2 if account information is provided to third parties. If this is not the case, I would not exclude that an ASPSP or bank would try to argue that it does not have to offer mandatory access. The reason is that a payment service user only the right to use the services of an AISP for the services listed in point 8 of the annex to the PSD2, namely AIS. For other types of services, this right does not exist. This scenario could e.g. happen if a German authorized AISP would try to obtain payment information from a UK payment account. If in the UK, the services of the German AISP would not qualify as AIS, I could imagine that the relevant UK bank might explore whether it may deny 'free access'.
Suppose that a broad(er) explanation is correct, the second question is whether the (consolidated) information must always be provided to the account holder as well. The FCA seems to be taking this as a starting point. The advantage of this approach is that the account holder can always check for himself what information is provided to the third party. Moreover, it excludes all kinds of information services in which the account holder has ever given his explicit consent for a certain period of time (the AISP could access the account for 90 days without any action required of the account holder), but after that no longer has any insight into the information provided by the AISP to third parties (whether or not on a regular basis).
Who checks the AISP-services?
A follow-up question is who should then check the services provided by an AISP. In the first instance, this will be the financial regulator that will be responsible for the registration of the AISP. The financial regulator will have to determine whether, in view of the services it provides or intends to provide, the company in question is eligible for registration as an AISP. If this hurdle is taken, then it could be the case exclude that ASPSPs will still be able to assess whether or not they should offer mandatory access to an AISP. When it is reasonably established that the information services are not AIS according to the views of the local supervisory authority, it could be that the local ASPSP has good arguments to allow access only on the basis of an agreement.
If a service provider uses the account information for its own (commercial) purposes (e.g. credit rating for lenders) or if the service provider sells the information to third parties, a local supervisory authority might decide that these services are not covered by the PSD2. This means that the service provider in question may not be eligible for registration as an AISP under PSD2.
Where there is local difference in the interpretation of AIS, ASPSPs, such as banks, may possibly be allowed to refuse access to payment accounts to AISPs that are authorized in a Member State where the interpretation of AIS is broader than in the home Member State of the ASPSP.
Event: 7 June 2018
Round Table: The Fintech and Payments Revolution of PSD2: RU Ready?
PSD2 - the European Revised Payment Services Directive – is there to revolutionize the payments industry. How do you prepare for it and will you take advantage of the possibilities? And also, how is the Dutch PSD2 implementation progressing?Lees meer