Single Rulebook Q&A

Question ID: 2018_4309
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 66, 67 and 68
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 32
Name of institution / submitter: European Third Party Providers Association
Country of incorporation / residence: Belgium
Type of submitter: Industry association
Subject matter : Consent for the provision of PIS and AIS
Question:

Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?

Background on the question:

According to Art. 66 and 67 PSD2 a PISP or AISP can only initiate a payment or access payment account information with the explicit consent of the payment service user (PSU).

Article 30(2)(a) also states that the interface developed by the ASPSP shall ensure that “a payment initiation service provider or an account information service provider shall be able to instruct the account servicing payment service provider to start the authentication based on the consent of the payment service user”.

As mentioned in paragraph 13 of the EBA opinion published in June 2018, “where AIS or PIS are provided to a payment service user (PSU) following a contract that has been signed by both parties, ASPSPs do not have to check consent. It suffices that AISPs and PISPs can rely on the authentication procedures provided by the ASPSPs to the PSU, when it comes to the expression of explicit consent.

On that basis the TPP contacts the ASPSP and initiates a communication session. In such a session, no double check or second consent requirement may be introduced as this would hamper the frictionless functioning of the AIS or the PIS and go against the RTS and PSD2 as explained in the EBA opinion. In addition, Art. 32 (3) RTS points out, “additional checks of the consent” or “requiring additional authorisations” would hence amount to an illicit obstacle to the provision of AIS and PIS in violation of PSD2.

Variations around this principle have arisen in the market in particular with regard to whether banks can ex-ante ask their PSUs whether they want TPPs to access their accounts or not as well as whether the PSU for its convenience could revoke the consent given to a TPP with the bank as well as the TPP and in the first case for the bank to then pass on the information to the TPP.

In the case of the first, if the PSU would first have to actively declare to be willing to use services offered by TPPs towards his or her ASPSP, this would weaken the principle that all PSUs are entitled to use AISPs and PISPs and may discourage PSUs from using them or complicate the situation in cases where the PSU changes his mind and wishes to start using TPP services.  By the same token, also an opt-out from the use of PIS or AIS in a way that an ASPSP disables the use of such services would not be allowed. In that case, PSUs would no longer be able to rely on TPP unless they provided an additional authorization or additional consent that in our view goes beyond the authorisation agreed with the ASPSP in line with Art. 64 (2), 66 and 67 PSD2. As set out above, such additional consent or authorisation shall not be required and as highlighted in the EBA opinion ASPSPs may not check the consent provided by the PSU to a PISP/AISP. Doing it ex ante as suggested by some banks would similarly conflict with this principle. The PSU should remain free to decide whether or not to use an AIS or a PIS. Article 68(5) PSD2 enables the ASPSP to block AIS or PIS access only if this access is ‘unauthorised or fraudulent’.

In the second case, for the ASPSP to be able to revoke consent with an AISP/PISP on behalf of a PSU, ASPSPs would need to have access to consent information and be informed of which AISP and/or PISP the PSU has provided explicit consent to. This would contradict the legal principle highlighted in the EBA opinion that ASPSPs cannot and should not check the consent. In addition if ASPSPs were allowed to revoke the consent, it would mean that they are able to manage the PSU’s consent which, in our view, again conflicts with the principle highlighted in the opinion.

 

Date of submission: 03/10/2018
Published as Final Q&A: 21/12/2018
EBA answer:

Article 64 of Directive 2015/2366/EU (PSD2) provides rules on consent and withdrawal of consent to execute a payment transaction. According to Article 64(1) a payment transaction is considered to be authorized only if the payer has given consent to execute the payment transaction. Consent may also be given via the payee or the payment initiation service provider (Article 64(2)).  When using a payment initiation service provider (PISP) or account information service provider (AISP), Articles 66 (2) in conjunction with 64 (1) and (2) and 67 (2)(a) PSD2 state that a PISP or AISP can only initiate a payment or access payment account information with the explicit consent of the payment service user (PSU). For the expression of explicit consent, the PISP and the AISP can rely on the authentication procedures that shall be made available by the ASPSP to the PSU (Article 97(5) PSD2). As the PIS and AIS services are provided to the PSU on the basis of an explicit consent, the ASPSP does not have to check that consent has been given (see EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, June 2018, paragraph 13).

It follows from the above that it is only the PSU that can give consent to the provision of PIS and AIS services. It is consequently also the PSU that only has the right to withdraw the consent after it has been provided. The ASPSP cannot revoke the consent. It is only entitled to deny an AISP or PISP access to a payment account on its own initiative for justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that specific PISP or AISP (Article 68(5) PSD2). When blocking the access the ASPSP shall immediately report the incident to the relevant competent authority. PSD2 thus provides adequate safeguards to ensure that PISPs and AISPs do not have unauthorised access to payment accounts.

As for the question whether ASPSPs could offer the PSU the possibility to generally “opt-out” being able to use the services of bank-independent TPP, such a general “opt-out” would undermine the very aim of PSD2 to create a level playing field between all market players offering these services, and specifically be in breach with the obligations of the ASPSPs under Article 66 and 67 and Article 68(5) of PSD2.

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

 

 

Status: Final Q&A
Permanent link: link