Single Rulebook Q&A

Question ID: 2018_4210
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 36(5b)
Type of submitter: Credit institution
Subject matter : Access by AISPs when customer not present up to 4 times in a 24 hour period
Question:

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

Background on the question:

'Access information from designated accounts' could be interpreted as access for each specific type of data e.g. balance, transaction history for which specific API calls would be made as part of the same wider session, or it could be interpreted as access to get the specific piece of information and so e.g. balance and trasnaction history might be considered separately and so could count separately to the threshold of 4 times.

Date of submission: 21/08/2018
Published as Final Q&A: 21/12/2018
EBA answer:

Article 36(5)(b) of Commission Delegated Regulation (EU) 2018/389 states that Account Information Service Providers (AISPs) shall be able to access the payment service user’s (PSU) information “where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user's consent”.

As stated in paragraph 28 of the EBA opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication), not being directly involved in a session means that “the PSU was not in a session at the time of the request”, which means that the PSU was not “actively viewing the data or executing an action to refresh the data to be displayed”. Consequently, a PSU actively requesting information is considered as in session, “actively viewing the data or executing an action to refresh the data to be displayed.

In addition, Article 36(1)(a) of this Delegated Regulation specifies that AISPs have access to the same data as customers would be able to access in relation to their designated payment accounts and associated payment transactions using their web interface or mobile (or tablet) app, provided that this information does not include sensitive payment data. Further, paragraph 20 of this EBA opinion states that the AISPs can access the maximum amount of data available to PSUs with regard to their payment account(s) held with a specific Account Service Payment Service Provider (ASPSP) regardless of the electronic channel (e.g. mobile application or web) used to access it.

Status: Final Q&A
Permanent link: link