Single Rulebook Q&A

Question ID: 2018_4081
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Other topics
Article: 4
Paragraph: 32
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
Article/Paragraph : n.a.
Name of institution / submitter: Banque de France
Country of incorporation / residence: FRANCE
Type of submitter: Competent authority
Subject matter : On the access to names and surnames through the API
Question:

Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??

Background on the question:

ASPSPs have repeatedly stated that names and surnames of both account owners and beneficiaries are visible through online banking space, and therefore may be accessible by TPPs connecting to it through the upcoming API. In this perspective, they have shared their concern that disclosure of such information may put them in legal troubles regarding personal data protection.

However, Article 4(32) of PSD2 defining sensitive payment data states that “sensitive payment data means data, including personalised security credentials which can be used to carry out fraud. For the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data”, which means that the name of account owners (both of the user of TPPs and of already enrolled beneficiaries accessible through the online banking space) can be displayed through the API as they are not sensitive data. Moreover, Article 27 of the EBA’s opinion does not include in data related to PSU’s identity -which should not be shared with TPPs- the name of the account owner, which once more seems to indicate that names (both of the TPP’s user and of the beneficiaries displayed on the online banking space) can be displayed freely through the API.

 

Date of submission: 04/07/2018
Published as Final Q&A: 25/01/2019
EBA answer:

Application Programming Interfaces (APIs) should foresee the possibility of providing the name of the payer in case this information is required for delivering payment initiation services or account information services. Article 66(3)(f) PSD2 states that the payment initiation service provider (PISP) shall not request from the payment service user any data other than those necessary to provide the payment initiation service. Article 66(3)(g) PSD2 further states that the PISP shall not use, access or store any data for purposes other than the provision of the payment initiation service as explicitly requested by the payer.  

A PISP should therefore be able to justify that obtaining the name of the payer  is necessary for the provision of the payment initiation service as explicitly requested by the payer.

Article 67(2)(f) PSD2 states that the account information service provider (AISP) shall not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules. The AISP should therefore be able to justify that the name of the payment account holder is necessary for the account information service requested by the account owner.

As regards the question whether the name of the payee or a beneficiary list can be displayed, please see the answer to Q&A 2018_4128.

It follows from the above, that the ASPSP shall cater for the possibility in the access interface, e.g. an Application Programming Interface (API), to provide or make available the name of the payer/ payment account holder in order not to create obstacles for PISPs and AISPs, if the latter can justify to the NCA that the name is necessary for the provision of their services.

Article 4(32) PSD2 states that for the activities of PISPs and AISPs the name of the account owner does not constitute sensitive payment data. This, however, is not relevant for the question whether the ASPSP can or shall provide the name of an account holder. The fact that the name of the account owner is not considered sensitive data only has as a consequence that Article 66(3)(e) PSD2 and Article 67(2)(e) PSD2 on requesting and storing sensitive payment data do not apply.

The above PSD2 provisions are fully in line with Article 5(1)(c) of the General Data Protection Regulation (GDPR) on the principle of data minimisation and Article 6(1)(b) on the legal basis for the processing (performance of a contract).

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

 

Status: Final Q&A
Permanent link: link