PSD2: no cross-checking on consent needed, says EBA

Out-Law News | 15 Jun 2018 | 9:35 am | 2 min. read

Banks do not need to check whether their customers have given other companies permission to access information from their payment accounts under EU payment services laws, the European Banking Authority (EBA) has confirmed.

Banks and other 'account servicing payment service providers' (ASPSPs) are required to enable account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment account information they hold where customers consent to such access under the second Payment Services Directive (PSD2).

However, the EBA has confirmed that it is not necessary for ASPSPs to double check consent has been given before facilitating access under the new regime.

"It is the EBA’s view, after discussing it with the [European] Commission, that, where AIS or PIS are provided to a payment service user (PSU) following a contract that has been signed by both parties, ASPSPs do not have to check consent. It suffices that AISPs and PISPs can rely on the authentication procedures provided by the ASPSPs to the PSU, when it comes to the expression of explicit consent," it said.

Angus McFadyen, an expert in payments law at Pinsent Masons, the law firm behind, said: "This helps to move us through the debate about the redirection consent route, and whether it can be mandated by the ASPSP, and is wholly in line with the views of many in the market that have argued that it is essential to allowing the effective operation of the third party provider market."

The EBA's clarification was contained in a new opinion it has issued on the implementation of some regulatory technical standards (RTS) that will apply alongside PSD2.

While PSD2 took effect in January this year, the majority of the RTS on ‘strong customer authentication and common and secure open standards of communication’ will not apply until 14 September 2019.

The RTS set out in more detail what ASPSPs must provide for to ensure that AISPs and PISPs can access their customers' payment account data in line with PSD2.

Under the standards, ASPSPs must either enable third party access to the data through the same interfaces they use for interacting with customers, or alternatively develop a new 'dedicated interface' for that purpose. A range of safeguards are outlined in the standards to ensure that the access rights of AISPs and PISPs are respected.

In its opinion, the EBA said that ASPSPs electing to develop a 'dedicated interface' must ensure that it allows all third parties that will use it to comply with their obligations under PSD2 and the RTS, not just themselves.

The opinion contains a list of all the aspects of compliance the dedicated interface must support. It includes meeting a range of rules on security, providing scope to cancel initiated transactions, and enabling traceability and the mitigation of fraud risks.

The EBA also confirmed that, when ASPSPs are facilitating access to customer information under PSD2, they should not disclose data about the identity of the customer with AISPs and PISPs, such as their address, date or birth and social security number. This is because that information is not "necessary or requested to initiate a payment or access account information under PSD2", it said.

Banks are also prohibited from limiting the type of transactions that it enables PISPs to offer to fewer than what it offers its customers directly, the EBA said.

The EBA has separately opened a consultation on proposed new guidelines under PSD2. Those guidelines are aimed at clarifying the conditions that ASPSPs must satisfy to benefit from an exemption from the requirement to provide a fallback option to ensure AISPs and PISPs can exercise their access rights where the main interface they use is down or underperforming.