Answer 1: A licence requirement applies if a party enters into a contract or agreement with an account holder for providing an account information service.
If a licensed account information service provider outsources its retrieval of payment data from an account-servicing payment service provider to a third party, then a contract or agreement will be presumed to have been concluded with the payment service user for providing account information service via the licensed account information service provider. The same applies if this party has access to or may have access to the personal payment data of the user of the payment service, or if it has a relevant security token giving access to such data. This means that the third party is also subject to a licence requirement.
Explanatory notes
Performing a PSD2 account information service upon request consists of two key elements: 1) retrieving the payment service user's payment data from the user's account-servicing payment service provider (generally a bank); and 2) providing consolidated account information to the payment service user (or to a third party, subject to a request by the payment service user. Also see Question 3). The majority of account information service providers are engaged in activities falling under both key elements. These activities can also be performed by two different parties working in collaboration.
The licence requirement applies to both parties under certain conditions.
- The party with whom the payment service user concludes an agreement or contract for account information services is designated as the party ultimately performing the payment service on behalf of the payment service user, even if this party outsources data retrieval to a third party. This party is therefore subject to a licence requirement.
- If the party that retrieves the payment data on behalf of a licensed account information service provider has access to the personal payment data of the user of the payment service, or if it has a relevant security token giving access to such data, then this party is also subject to a licence requirement. This is because this party concludes a contract or agreement for the provision of account information via the licensed account information service provider. A party may only retrieve payment details autonomously if a contract or agreement has been concluded with the payment service user. The rules that apply to access to current accounts are a core element of PSD2, which is why this party is individually subject to a licence requirement.
Question 2: May an account information service provider outsource the retrieval of payment details from a bank to an unlicensed party?
Answer 2: The answer is yes, but only if the party retrieving the data has no access to the account holder's personal payment details or a security token providing such access. This party only provides the link to the API of the account-servicing payment service provider. It merely transmits the data of the account-servicing payment service provider to the account information service provider. A party such as this has no autonomous access to the current account. It provides a service of a purely technical nature. In this case, the account information service provider is subject to the relevant outsourcing rules pursuant to the Financial Supervision Act. These rules include provisions applying to the account information service provider or the payment initiation service provider with regard to the security of sensitive payment data. The provisions of the General Data Protection Regulation also apply to the account information service provider and the technical service provider.
Question 3: Is an account information service provider required to be the only processor of retrieved payment data, or may a third, unlicensed party engage in such processing?
Answer 3: Under certain circumstances, a third, unlicensed party may engage in the actual processing of the retrieved payment data.
The law defines an account information service as an online service for providing consolidated information on one or more current accounts held by a payment service user with one or more other payment service providers. Data is considered to be consolidated account information if the original information is retrieved from one or more current accounts by the account information service provider from the account-servicing payment service provider for a specific period of time. The account information (consisting of more-or-less raw data) can be provided to the payment service user, who may also provide the account information service provider with consent in accordance with the GDPR to transmit the information to a third party.
The legal definition of account information service does not specify the recipient of consolidated account information1.
This third party may engage in the actual processing (categorisation etc.) of retrieved payment data. In this case, the third party will fall outside the scope of PSD2 and will not be subject to a licence requirement. However, the payment service user must have concluded a contract or agreement for account information services with the other account information service provider that retrieves relatively 'raw’ data for a specific period of time at the request of the payment service user.
[1] Also see EBA Q&A 4098 Clarification on whether a particular business model type constitutes the provision of an account information service as defined by Article 4 (16) of PSD2.