PSD2 – Third Party Payment Providers Online Account Access aka the PSD2 TPP XS2A rules
(Note: the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice).
PSD2 has introduced new regulated business models known as ‘Payment Initiation Service Providers’ (or ‘PISPs’) and ‘Account Information Service Providers’ (or ‘AISPs’) – collectively referred to Third Party Payment providers – or TPPs.
Not only has the PSD2 required TPPs to become regulated, but it also regulates how other payment service providers must interact with them – most notably the rights of TPPs to have access to other PSP payments accounts which are accessible online. This has been commonly referred to as the PSD2 TPP XS2A rules.
What is the key PSD2 TPP XS2A rules?
It provides that PISPs and AISPs must have the ability to communicate with online account payment service providers to enable them to carry out their services, as requested by their mutual customers.
The rules are not absolute and TPPs must comply with the obligations set out in PSD2 and the accompanying EBA Regulatory Technical Standard.
The EBA Regulatory Technical Standard covers such requirements related to:
- The obligation of account servicing payment service providers to offer at least one interface to allow TPPs to carry out their services (such as to request and receive information – for AISPs – and to initiate a payment order – for PISPs)
- If a dedicated interface is offered – there are rules around its availability and performance which are to match key service levels and which are provided directly to payment service users, together contingency measures
- Security of communication between the service providers
- Rules and scope of the data exchanges between the service providers
Legislative Text:
PSD2 TPP XS2A
Rules on access to payment account in the case of payment initiation services
| PSD2 Directive | PSRs 2017 (2 February draft) |
| Article 66 | Regulation 69 |
| 1. Member States shall ensure that a payer has the right to make use of a payment initiation service provider to obtain payment services as referred to in point (7) of Annex I. The right to make use of a payment initiation service provider shall not apply where the payment account is not accessible online.
|
(1) This regulation applies only in relation to a payment account which is accessible online.
|
| 2. When the payer gives its explicit consent for a payment to be executed in accordance with Article 64, the account servicing payment service provider shall perform the actions specified in paragraph 4 of this Article in order to ensure the payer’s right to use the payment initiation service.
|
(2) Where a payer gives explicit consent in accordance with regulation 66 for a payment to be executed though a payment initiation service provider, the payer’s account servicing payment service provider must—
|
| 3. The payment initiation service provider shall:
|
(a) communicate with the payment initiation service provider in accordance with [the Regulatory Technical Standards to be developed by the EBA];
|
| (a) not hold at any time the payer’s funds in connection with the provision of the payment initiation service;
|
(b) immediately after receipt of the payment order from the payment initiation service provider, provide or make available to the payment initiation service provider all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction;
|
| (b) ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
|
(c) treat the payment order in the same way as a payment order received directly from the payer, in particular in terms of timing, priority or charges, unless the account servicing payment service provider has objective reasons for treating the payment order differently;
|
| (c) ensure that any other information about the payment service user, obtained when providing payment initiation services, is only provided to the payee and only with the payment service user’s explicit consent;
|
(d) not require the payment initiation service provider to enter into a contract before complying with the preceding sub-paragraphs.
|
| (d) every time a payment is initiated, identify itself towards the account servicing payment service provider of the payer and communicate with the account servicing payment service provider, the payer and the payee in a secure way, in accordance with point (d) of Article 98(1);
|
(3) A payment initiation service provider must—
|
| (e) not store sensitive payment data of the payment service user;
|
(a) not hold a payer’s funds in connection with the provision of the payment initiation service at any time;
|
| (f) not request from the payment service user any data other than those necessary to provide the payment initiation service;
|
(b) ensure that a payer’s personalised security credentials are— (i) not accessible to other parties, with the exception of the issuer of the credentials; and (ii) transmitted through safe and efficient channels;
|
| (g) not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer;
|
(c) ensure that any other information about a payer is not provided to any person except a payee, and is provided to the payee only with the payer’s explicit consent;
|
| (h) not modify the amount, the payee or any other feature of the transaction.
|
(d) each time it initiates a payment order, identify itself to the account servicing payment service provider and communicate with the account servicing payment service provider, the payer and the payee in accordance with the [Regulatory Technical Standards to be developed by the EBA];
|
| 4. The account servicing payment service provider shall
|
(e) not store sensitive payment data of the payment service user;
|
| (a) communicate securely with payment initiation service providers in accordance with point (d) of Article 98(1);
|
(f) not request any information from a payer except information required to provide the payment initiation service;
|
| (b) immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider;
|
(g) not use, access or store any information for any purpose except for the provision of a payment initiation service explicitly requested by a payer;
|
| (c) treat payment orders transmitted through the services of a payment initiation service provider without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer.
|
(h) not change the amount, the payee or any other feature of a transaction notified to it by the payer.
|
| 5. The provision of payment initiation services shall not be dependent on the existence of a contractual relationship between the payment initiation service providers and the account servicing payment service providers for that purpose.
|
PSD2 TPP XS2A
Rules on access to and use of payment account information in the case of account information services
| PSD2 Directive – Article 67 | PSRs 2017 (2 February draft) |
| 1. Member States shall ensure that a payment service user has the right to make use of services enabling access to account information as referred to in point (8) of Annex I. That right shall not apply where the payment account is not accessible online.
|
Regulation 70 —(1) This regulation applies only in relation to a payment account which is accessible online.
|
| 2. The account information service provider shall:
|
(2) Where a payment service user uses an account information service, the payment service user’s account servicing payment service provider must—
|
| (a) provide services only where based on the payment service user’s explicit consent;
|
(a) communicate with the account information service provider in accordance with the [Regulatory Technical Standards to be developed by the EBA];
|
| (b) ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that when they are transmitted by the account information service provider, this is done through safe and efficient channels;
|
(b) treat a data request from the account information service provider in the same way as a data request received directly from the payer, unless the account servicing payment service provider has objective reasons for treating the request differently;
|
| (c) for each communication session, identify itself towards the account servicing payment service provider(s) of the payment service user and securely communicate with the account servicing payment service provider(s) and the payment service user, in accordance with point (d) of Article 98(1);
|
(c) not require the account information service provider to enter into a contract before complying with the preceding sub-paragraphs.
|
| (d) access only the information from designated payment accounts and associated payment transactions;
|
(3) An account information service provider must—
|
| (e) not request sensitive payment data linked to the payment accounts;
|
(a) not provide account information services without the payment service user’s explicit consent;
|
| (f) not use, access or store any data for purposes other than for performing the account information service explicitly requested by the payment service user, in accordance with data protection rules.
|
(b) ensure that the payment service user’s personalised security credentials are— (i) not accessible to other parties, with the exception of the issuer of the credentials; and (ii) transmitted through safe and efficient channels;
|
| 3. In relation to payment accounts, the account servicing payment service provider shall:
|
(c) for each communication session, identify itself to the account servicing payment service provider and communicate with the account servicing payment service provider and the payment service user in accordance with the [Regulatory Technical Standards to be developed by the EBA];
|
| (a) communicate securely with the account information service providers in accordance with point (d) of Article 98(1); and
|
(d) not access any information other than information from designated payment accounts and associated payment transactions;
|
| (b) treat data requests transmitted through the services of an account information service provider without any discrimination for other than objective reasons.
|
(e) not store sensitive payment data linked to the payment accounts accessed;
|
| 4. The provision of account information services shall not be dependent on the existence of a contractual relationship between the account information service providers and the account servicing payment service providers for that purpose.
|
(f) not request any information from a payer except information required to provide the account information service;
|
| (g) not use, access or store any information for any purpose except for the provision of the account information service explicitly requested by the payment service user.
|
Limits of the use of the payment instrument and of the access to payment accounts by payment service providers
| PSD2 Directive | PSRs 2017 (2 February draft) |
| Article 68 | Regulation 71 |
| 1. Where a specific payment instrument is used for the purposes of giving consent, the payer and the payer’s payment service provider may agree on spending limits for payment transactions executed through that payment instrument.
|
—(1) Where a specific payment instrument is used for the purpose of giving consent to the execution of a payment transaction, the payer and its payment service provider may agree on spending limits for any payment transactions executed through that payment instrument.
|
| 2. If agreed in the framework contract, the payment service provider may reserve the right to block the payment instrument for objectively justified reasons relating to the security of the payment instrument, the suspicion of unauthorised or fraudulent use of the payment instrument or, in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.
|
(2) A framework contract may provide for the payment service provider to have the right to stop the use of a payment instrument on reasonable grounds relating to—
|
| 3. In such cases the payment service provider shall inform the payer of the blocking of the payment instrument and the reasons for it in an agreed manner, where possible, before the payment instrument is blocked and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
|
(a) the security of the payment instrument;
(b) the suspected unauthorised or fraudulent use of the payment instrument; or
(c) in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.
|
| 4. The payment service provider shall unblock the payment instrument or replace it with a new payment instrument once the reasons for blocking no longer exist.
|
(3) The payment service provider must, in the manner agreed between the payment service provider and the payer and before carrying out any measures to stop the use of the payment instrument—
(a) inform the payer that it intends to stop the use of the payment instrument; and
(b) give its reasons for doing so.
|
| 5. An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction. In such cases the account servicing payment service provider shall inform the payer that access to the payment account is denied and the reasons therefor in the form agreed. That information shall, where possible, be given to the payer before access is denied and at the latest immediately thereafter, unless providing such information would compromise objectively justified security reasons or is prohibited by other relevant Union or national law.
|
(4) Where the payment service provider is unable to inform the payer in accordance with paragraph (3) before carrying out any measures to stop the use of the payment instrument, it must do so immediately after
|
| The account servicing payment service provider shall allow access to the payment account once the reasons for denying access no longer exist.
|
(5) Paragraphs (3) and (4) do not apply where provision of the information in accordance with paragraph (3) would compromise reasonable security measures or is otherwise unlawful.
|
| 6. In the cases referred to in paragraph 5, the account servicing payment service provider shall immediately report the incident relating to the account information service provider or the payment initiation service provider to the competent authority. The information shall include the relevant details of the case and the reasons for taking action. The competent authority shall assess the case and shall, if necessary, take appropriate measures.
|
(6) The payment service provider must allow the use of the payment instrument or replace it with a new payment instrument as soon as practicable after the reasons for stopping its use cease to exist.
|
| (7) An account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for reasonably justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction.
|
|
| (8) If an account servicing payment service provider denies access to a payment account under paragraph (7)—
(a) the account servicing payment service provider must notify the payment service user of the denial of access and the reason for the denial of access, in the form agreed with the payment service user;
(b) the notification under sub-paragraph (a) must be provided before the denial of access if possible, or otherwise immediately after the denial of access;
(c) the account servicing payment service provider must immediately report the incident to the Authority in such form as the Authority may direct, and such report must include the details of the case and the reasons for taking action.
|
|
| (9) Paragraph (8)(a) and (b) do not apply if notifying the payment service user—
(a) would compromise reasonably justified security reasons; or
(b) is unlawful.
|
|
| (10) When the Authority receives a report under paragraph (8)(c), it must assess the case and take such measures as it considers appropriate.
|