Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
36/5 (b)
Disclose name of institution / entity:
Type of submitter:
Consultancy firm
Subject Matter:
TPP access only with PSU involvement

Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?

Background on the question:

Article 36(5)(b) of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication states that the TPP may access account information of the PSU a maximum of four times within 24 hours. This applies with the explicit consent of the user.

Does this article also state that a PSU can prohibit the TPP from accessing the account independently meaning without the "presence" of the PSU? This means that the TPP has permission to access the account information of the PSU but this only applies if the PSU actively requests this information at TPPs application.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 36(5)(a) and (b) of the Commission Delegated Regulation (EU) 2018/389 provides that account information service providers (AISPs) shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers (ASPSPs) for the purposes of performing the account information service in either of the following circumstances: 
(a) whenever the Payment Service User (PSU) is actively requesting such information;
(b) where the PSU does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the AISP and the ASPSP, with the PSU's consent.

This is, however, without prejudice to the obligation set out in Article 67(2)(a) of Directive 2015/2366/EU (PSD2) according to which AISPs shall provide services only where based on the PSU’s explicit consent. The PSD2 does not restrict the PSU from setting the conditions in which the AISP can access the account information, including the possibility for the PSU to restrict the AISP to access information only whenever the PSU is actively requesting such information.

Final Q&A