Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article 36 (5)(b) RTS SCA
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Interpretation of 'Active request for account information'

How should 'active request for account information' by a Payment Service User (PSU) be interpreted the wording of article 36(5)(a)(b) of the RTS SCA?

Background on the question:

Account servicing payment service providers (ASPSPs) want to offer the best customer experience, however also needs clarity what an active request for information of the PSU actually is (as these are not part of the 4x a day limitation). Currently it is unclear which actions a customer needs to do (i.e. only opening the app or to swipe/push a button in the app) are needed to update the information showed in the account information overview.

The implications are mainly around the resources involved with increasing bandwidth of IT infrastructure. A liberal interpretation of the concept of an ‘active request’ implies more requests/traffic to the API and, thus it is expected by our engineers, a higher infrastructure bandwidth would be required. A liberal interpretation might in example be that opening up an AIS app by a user is already an active request to refresh his/her AIS information – rather than having to perform a separate in app action like hitting a refresh button.

Date of submission:
Published as Final Q&A:
Final Answer:

Article 36(5)(b) of Commission Delegated Regulation (EU) 2018/389 states that the Account Information Service Provider (AISP) shall be able to access the relevant and necessary information from the account servicing payment service provider (ASPSP) “whenever the payment service user (PSU) is actively requesting such information”. The reference to ‘active request’ refers to the PSU being in session at the time of the request and proactively performing an action, predefined by the AISP, to request such information. It does not include the case where the PSU has given a mandate to an AISP to access whenever possible or the case where the AISP is mandated to refresh automatically the information whenever the PSU is accessing the AISP application(s).

Final Q&A
Answer prepared by:
Answer prepared by the EBA.