2019_4631 TPP access only with PSU involvement

Question ID: 2019_4631
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 36/5 (b)
Type of submitter: Consultancy firm
Subject matter: TPP access only with PSU involvement
Question: Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?
Background on the question: Article 36(5)(b) of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication states that the TPP may access account information of the PSU a maximum of four times within 24 hours. This applies with the explicit consent of the user.
Does this article also state that a PSU can prohibit the TPP from accessing the account independently meaning without the "presence" of the PSU? This means that the TPP has permission to access the account information of the PSU but this only applies if the PSU actively requests this information at TPPs application.
Submission date: 27/03/2019
Final publishing date: 05/03/2021
Final answer: Article 36(5)(a) and (b) of the Commission Delegated Regulation (EU) 2018/389 provides that account information service providers (AISPs) shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers (ASPSPs) for the purposes of performing the account information service in either of the following circumstances:
(a) whenever the Payment Service User (PSU) is actively requesting such information;
(b) where the PSU does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the AISP and the ASPSP, with the PSU's consent.

This is, however, without prejudice to the obligation set out in Article 67(2)(a) of Directive 2015/2366/EU (PSD2) according to which AISPs shall provide services only where based on the PSU’s explicit consent. The PSD2 does not restrict the PSU from setting the conditions in which the AISP can access the account information, including the possibility for the PSU to restrict the AISP to access information only whenever the PSU is actively requesting such information.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer