Question ID:
2018_4081
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Other topics
Article:
4
Paragraph:
32
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Not applicable
Article/Paragraph:
n.a.
Name of institution / submitter:
Banque de France
Country of incorporation / residence:
FRANCE
Type of submitter:
Competent authority
Subject Matter:
On the access to names and surnames through the API
Question:

Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??

Background on the question:

ASPSPs have repeatedly stated that names and surnames of both account owners and beneficiaries are visible through online banking space, and therefore may be accessible by TPPs connecting to it through the upcoming API. In this perspective, they have shared their concern that disclosure of such information may put them in legal troubles regarding personal data protection.

However, Article 4(32) of PSD2 defining sensitive payment data states that “sensitive payment data means data, including personalised security credentials which can be used to carry out fraud. For the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data”, which means that the name of account owners (both of the user of TPPs and of already enrolled beneficiaries accessible through the online banking space) can be displayed through the API as they are not sensitive data. Moreover, Article 27 of the EBA’s opinion does not include in data related to PSU’s identity -which should not be shared with TPPs- the name of the account owner, which once more seems to indicate that names (both of the TPP’s user and of the beneficiaries displayed on the online banking space) can be displayed freely through the API.

 

Date of submission:
04/07/2018
Published as Final Q&A:
25/01/2019
EBA Answer:

With regard to payment initiation services, Article 36(1)(b) of the Commission Delegated Regulation 2018/389, which largely reproduces Article 66(4)(b) of PSD2, states that the account servicing payment service provider (ASPSP) shall, immediately after receipt of the payment order, provide payment initiation service providers (PISPs) with the same information on the initiation and execution of the payment transaction provided or made available to the payment service user (PSU) when the transaction is initiated directly by the latter. Hence, the ASPSP shall, immediately after receipt of the payment order, provide the name of the payer (the PSU) to the PISP via the dedicated interface if the name is included in the information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter.

Notwithstanding the above, PISPs have to comply with the requirements under Article 66(3)(f) and (g) PSD2.


With regard to account information services, Article 36(1)(a) of the Delegated Regulation states that the ASPSP shall provide account information service providers (AISPs) with the same information from designated payment accounts and associated payment transactions made available to the PSU when directly requesting the access to the account information, provided that this information does not include sensitive payment data. Article 4(32) PSD2 states that for the activities of PISPs and AISPs, the name of the account owner does not constitute sensitive payment data. Hence, the ASPSP shall provide the name of the payment account owner (the PSU) to the AISP via the dedicated interface if the name is made available to the PSU when directly accessing his account information.

Notwithstanding the above, AISPs have to comply with the requirements under Article 67(2)(f) PSD2.

This is without prejudice to PISPs’ and AISPs’ obligations under Directive (EU) 2015/849 (4th Money Laundering Directive).

 

* The answer to the Q&A presented here was amended by a Directorate General of the Commission on 20/12/2019, to respond to new factual elements that have been provided by market participants since the publication of the original answer on 25/01/2019, which required additional clarity to be provided to achieve the aim of a consistent implementation of PSD2 and Commission Delegated Regulation (EU) 2018/389 (the RTS on SCA&CSC).


Application Programming Interfaces (APIs) should foresee the possibility of providing the name of the payer in case this information is required for delivering payment initiation services or account information services. Article 66 (3)(f) PSD2 states that the payment initiation service provider (PISP) shall not request from the payment service user any data other than those necessary to provide the payment initiation service. Article 66 (3)(g) PSD2 further states that the PISP shall not use, access or store any data for purposes other than the provision of the payment initiation service as explicitly requested by the payer.


A PISP should therefore be able to justify that obtaining the name of the payer is necessary for the provision of the payment initiation service as explicitly requested by the payer.
Article 67 (2)(f) PSD2 states that the account information service provider (AISP) shall not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules. The AISP should therefore be able to justify that the name of the payment account holder is necessary for the account information service requested by the account owner.

As regards the question whether the name of the payee or a beneficiary list can be displayed, please see the answer to Q&A 2018_4128.
It follows from the above, that the ASPSP shall cater for the possibility in the access interface, e.g. an Application Programming Interface (API), to provide or make available the name of the payer/ payment account holder in order not to create obstacles for PISPs and AISPs, if the latter can justify to the NCA that the name is necessary for the provision of their services.

Article 4 (32) PSD2 states that for the activities of PISPs and AISPs the name of the account owner does not constitute sensitive payment data. This, however, is not relevant for the question whether the ASPSP can or shall provide the name of an account holder. The fact that the name of the account owner is not considered sensitive data only has as a consequence that Article 66 (3)(e) PSD2 and Article 67 (2)(e) PSD2 on requesting and storing sensitive payment data do not apply.

The above PSD2 provisions are fully in line with Article 5(1)(c) of the General Data Protection Regulation (GDPR) on the principle of data minimisation and Article 6(1)(b) on the legal basis for the processing (performance of a contract).

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status:
Final Q&A