Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article 36(5b)
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Access by AISPs when customer not present up to 4 times in a 24 hour period

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

Background on the question:

'Access information from designated accounts' could be interpreted as access for each specific type of data e.g. balance, transaction history for which specific API calls would be made as part of the same wider session, or it could be interpreted as access to get the specific piece of information and so e.g. balance and trasnaction history might be considered separately and so could count separately to the threshold of 4 times.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 36(5)(b) of Commission Delegated Regulation (EU) 2018/389 states that Account Information Service Providers (AISPs) shall be able to access the payment service user’s (PSU) information “where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user's consent”.

As stated in paragraph 28 of the EBA opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication), not being directly involved in a session means that “the PSU was not in a session at the time of the request”, which means that the PSU was not “actively viewing the data or executing an action to refresh the data to be displayed”. Consequently, a PSU actively requesting information is considered as in session, “actively viewing the data or executing an action to refresh the data to be displayed.

In addition, Article 36(1)(a) of this Delegated Regulation specifies that AISPs have access to the same data as customers would be able to access in relation to their designated payment accounts and associated payment transactions using their web interface or mobile (or tablet) app, provided that this information does not include sensitive payment data. Further, paragraph 20 of this EBA opinion states that the AISPs can access the maximum amount of data available to PSUs with regard to their payment account(s) held with a specific Account Service Payment Service Provider (ASPSP) regardless of the electronic channel (e.g. mobile application or web) used to access it.

Consequently, four individual requests can be made within 24 hours. The information shared during each of the four requests may include: 1) more than one type of information and 2) all information an AISP may access in relation to a PSU’s payment account(s) information. During each request, each type of information may only be shared once and the information may be recovered either through one or several API calls depending on the design of the API and on the information sought. When applied each of the four requests may, for example, include both the account balance and associated payment transactions. This applies regardless of whether the Account Servicing Payment Services Provider (ASPSP) is offering a dedicated interface, or has adapted the customer interface, for the purpose of sharing such information.


The answer to this Q&A was corrected 28/11/2019 to address a processing issue that occurred during the publication.

Final Q&A