Access to payment account information seems the land of milk and honey. Imagine what a company could do with such information. The revised EU Payment Services Directive (PSD2) regulates account information services and providers of such services, the account information service providers or AISPs. But when do you qualify as an AISP?
What's new under PSD2?
PSD2 caters for the possibility of third party service providers having access to payment accounts held at other payment service providers, the so-called 'account servicing payment service providers' (ASPSPs, basically banks). In this regard, PSD2 makes a distinction between two types of services: payment initiation services and account information services.
Differences between payment initiation services and account information services?
A 'payment initiation service' (PIS) is a service to initiate a payment order with respect to a payment account held at another payment service provider. An ‘account information service’ (AIS) is an online service to provide consolidated information on one or more payment accounts with either another payment service provider or with more than one payment service provider.
Does a contract need to be in place in order to have account-access?
ASPSPs are - in principle - obliged to provide access to providers of PIS or AIS provided that the relevant payment accounts are accessible online and the third party service provider is duly authorised. Banks may not require contracts with the third party service provider in order to have account-access.
Which services are in scope of PSD2?
Parties who offer account information services may do so for (i) the account holder, (ii) for commercial purposes of the service provider itself and/or (iii) for commercial purposes of third parties. It is however questionable whether the last two forms of services fall within the scope of PSD2.
The definition of AIS does not, in itself, say anything about the recipient of the 'consolidated information'. On that basis, the recipient could therefore also be a third party. However, recital 28 PSD2 and the press release issued by the European Commission (EC) when the PSD2 was adopted seem to point in another direction.
Recital 28 PSD2 links AIS to information that the account holder can obtain himself. It explains AIS as services that provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider. The payment service user is thus able to have an overall view of its financial situation immediately at any given moment. According to recital 28 PSD, those services should also be covered by PSD2 in order to provide consumers with adequate protection for their payment and account data as well as legal certainty about the status of AISPs.
In the press release, the EC says the following about AIS (question 19):
Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different current accounts they may have with one or more banks and to categorise their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning.
This all could mean that an AISP may only provide the consolidated account information to the account holder and not use it for other (commercial) purposes. If the competent financial regulator concludes that an AISP has a different business model, it could be that the registration as an AISP be denied.
The UK financial regulator, the FCA, opted for a broader interpretation. In its document Our Approach, the FCA mentions the following examples. See Our Approach, p. 16:
- businesses that provide users with an electronic "dashboard" where they can view information from various payment accounts in a single place;
- businesses that use account data to provide users with personalised comparison services supported by the presentation of account information;
- businesses that, on a user's instruction, provide information from the user's various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies;
If my understanding of the position of the German financial regulator, BaFIN, is correct then BaFIN has the broadest interpretation. According to BaFin, it does not seem to matter who the recipient of the consolidated information is. With regard to paragraph 1(34) of the German Payment Act, in which AIS is defined, BaFIN notes shortly (translated) that services are included regardless of who the addressee of the communication is.
The scope of AIS thus raises a number of questions. The first question is whether there is also AIS within the meaning of the PSD2 if account information is provided to third parties. If this is not the case, I would not exclude that an ASPSP would try to argue that it does not have to offer mandatory access. The argument would then be that pursuant to article 67(1) PSD2 a payment service user only has the right to use the services of an AISP for the services listed in point 8 of the annex to the PSD2, namely AIS. Other types of services are not in scope of article 67(1) PSD2. This scenario could e.g. happen if a German authorized AISP would try to obtain payment information from a UK payment account. If in the UK, the services of the German AISP would not qualify as AIS, I could imagine that the relevant UK bank might explore whether it may deny 'free access'.
Suppose that a broad(er) explanation is correct, the second question is whether the (consolidated) information must always be provided to the account holder as well. The FCA seems to be taking this as a starting point. The advantage of this approach is that the account holder can always check for himself what information is provided to the third party. Moreover, it excludes all kinds of information services in which the account holder has ever given his explicit consent for a certain period of time (the AISP could access the account for 90 days without any action required of the account holder), but after that no longer has any insight into the information provided by the AISP to third parties (whether or not on a regular basis).
Who checks the AISP-services?
A follow-up question is who should then check the services provided by an AISP. In the first instance, this will be the financial regulator that will be responsible for the registration of the AISP. The financial regulator will have to determine whether, in view of the services it provides or intends to provide, the company in question is eligible for registration as an AISP. If this hurdle is taken, then ASPSPs might – as said – want to explore whether or not they should offer mandatory access to an AISP. When it is reasonably established that the information services are not AIS according to the views of the local financial regulator, it could be that the local ASPSP has good arguments to allow access only on the basis of an agreement.
If a service provider uses the account information for its own (commercial) purposes (e.g. credit rating for lenders) or if the service provider sells the information to third parties, a local financial regulator might decide that these services are not covered by the PSD2. This means that the service provider in question may not be eligible for registration as an AISP under PSD2.
Where there is local difference in the interpretation of AIS, ASPSPs, such as banks, might explore whether they are allowed to refuse access to payment accounts to AISPs that are authorized in a Member State where the interpretation of AIS is broader than in the home Member State of the ASPSP. This will obviously undermine the level European playing field that PSD2 promotes, but could be the result of different local interpretations and views of local regulators.