Is the name returned in an Account Information Service Provider (AISP) / Payment Initiation Service Provider (PISP) call expected to be that of the Payment Service User (PSU) who has initiated the transaction with the Third Party Provide (TPP), or of the actual account owner/holder?
EBA Q&A 2018_4081 has been submitted related to returning the account holder's name in AISP and PISP responses. EBA clarified in their answer that it is now required that names are included in such responses. Is the name returned expected to be that of the PSU who has initiated the transaction with the TPP, or of the actual account owner/holder? There are a number of scenarios where we need to be clear and from a GDPR perspective, sharing the correct data. Say for example in a Corporate context, when the account owner name could be the Corporate name, the PSU in this case may be an Employee making a payment on behalf of the Corporate. Should the Corporate or the Employee name be the one returned in the AISP/PISP responses? In another example of a Power of Attorney, when the account owner name could be "John Smith", but the PSU is a POA on the account with the name Jane Doe;.Should the account owner (John Smith) or the Payment Services User (PSU) (POA Jane Doe) be returned in the AISP/PISP calls? It would be good to have some clarification on the individual's name who is expected to be returned in the AISP and PISP calls.
In accordance with Article 66(4)(c) and Article 67(3)(b) of Directive (EU) 2015/2366 (PSD2), account servicing payment services providers (ASPSP) should treat payment orders transmitted through the services of a payment initiation service provider (PISP) and data requests transmitted through the services of an account information services provider (AISP) without any discrimination, other than for objectively justifiable reasons.
In accordance with Article 66(4)(b) of PSD2 and Article 36(1)(b) of Commission Delegated Regulation (EU) 2018/389, PISPs should be provided with the same information on the initiation and execution of the payment transaction provided or made available to the payment service user (PSU) as when the transaction is initiated directly by the latter.
In accordance with Article 36(1)(a) of Commission Delegated Regulation (EU) 2018/389, AISPs should be provided with the same information from designated payment accounts and associated payment transactions made available to the PSU as when the PSU is directly requesting access to account information.
With respect to payment initiation services (PIS), Q&A 2018_4081 clarified that “the ASPSP shall, immediately after receipt of the payment order, provide the name of the payer (the PSU) to the PISP via the dedicated interface if the name is included in the information on the initiation and execution of the payment transaction provided or made available to the PSU when the transaction is initiated directly by the latter”.
Where the person initiating the payment is not the account owner, but a person entitled to initiate the payment on the latter’s behalf, ASPSPs should make available to PISPs immediately after receipt of the payment order the name of the person initiating the payment, if the same information is provided to the PSU when the transaction is initiated directly by the latter.
Furthermore, with respect to account information services (AIS), Q&A 2018_4081 clarified that “the ASPSP shall provide the name of the payment account owner (the PSU) to the AISP via the dedicated interface if the name is made available to the PSU when directly accessing his account information”.
Where the person accessing the payment account is not the account owner but a person entitled to access the account on the latter’s behalf, ASPSPs should make available to AISPs the name of the person accessing the payment account, provided that this information is part of the information from designated payment accounts and associated payment transactions made available to the PSU when directly accessing his account information. 14
Thus, in accordance with Article 66(4)(c) and Article 67(3)(b) PSD2 and in line with Q&A 2018_4081, the ASPSP has to share the information in case the same information is also shared when the PSU accesses its account directly and/or initiates a transaction directly at the ASPSP, as long as there are no objectively justified reasons not to do so.
Disclaimer:
The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.