Question ID:
2018_4098
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Authorisation and registration
Article:
Article 4
Paragraph:
16
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Not applicable
Article/Paragraph:
Not applicable
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Central Bank of Ireland
Country of incorporation / residence:
Ireland
Type of submitter:
Competent authority
Subject Matter:
Clarification on whether a particular business model type constitutes the provision of an account information service as defined by Article 4 (16) of PSD2
Question:

Does a business model where the provider offers a service sending the account information to third parties (different from the payment service user)  (detail provided in the background) constitute the provision of an account information service, particularly as it is not proposed that the account information obtained will be given directly to the Payment Service User?

Background on the question:

Overview of Business Model proposed • The proposed account information service provider offers a service to audit firms, which allows them to request instant account balance information and transaction data from the payment accounts of their audit clients, via their online platform.

• The audit firm has the primary relationship with the proposed account information service provider and with the payment service user (PSU) (as the PSU is in the first instance the auditor’s client and only avails of the proposed account information service provider’s services during the course of the audit service being provided).

• The PSU signs up to the proposed account information service provider’s terms of service via an email generated on the proposed account information service provider’s platform by the audit firm.

• By signing up to the service, the PSU is providing explicit consent to the proposed account information service provider allowing it to access their payment accounts via the proposed account information service provider's platform. Permission levels are also set at this point, indicating the payment account information the proposed account information service provider has permission to access. The PSU also has to sign off on each access request made on the auditor’s behalf.

• The proposed account information service provider retrieves the payment account balance and transaction information via the bank’s API and it converts the information into a PDF document and makes this account information available on its online platform to the auditors.

• The PSU does not have access to this information. The only information the PSU will have access to relates to tasks and information the auditor has requested and a summary of the access levels it has consented to. The proposed account information service provider’s business model is not the typical business model we had anticipated as a result of the new payment service of account information service being introduced. Our original expectation, based on our participation at various EU fora, was that AIS services would typically entail providing consolidated account information directly to a Payment Service User to enable them to view their account balances/information across multiple banks in one place.

PSD2 defines Account Information Service as ‘an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider’. Whilst PSD2 does not appear to explicitly state that, when providing AIS payment account information has to be provided to the PSU, we are aware that at least one other Member State has taken the interpretation that unless the information is provided to the PSU, it is not AIS.

Date of submission:
11/07/2018
Published as Final Q&A:
13/09/2019
EBA Answer:

Articles 4(16) and 67(1),(2) PSD2 do not require that the account information service provider (AISP) provides the consolidated information to the payment service user (PSU) in order for the service to constitute an ‘account information service’ according to PSD2. The AISP may therefore transmit the consolidated information to a third party with the PSU’s explicit agreement. Regarding the use made by any third party of the consolidated information transmitted, other provisions of EU law may apply, for instance the General Data Protection Regulation (EU) 2016/679 (GDPR).  

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

 

Status:
Final Q&A