Question ID:
2021_6246
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
32
Paragraph:
3
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
32
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Deutsche Bank AG
Country of incorporation / residence:
Deutschland
Type of submitter:
Credit institution
Subject Matter:
Change of TPP access rights for AIS consent by the PSU prior to authorisation
Question:

A clarification / harmonised guidance on the Scope of the Bank Offered Consent, as defined in the Berlin Group standard, is needed.

Background on the question:

AIS Consent

The so-called Bank Offered Consent is initiated by the TPP via the API and enables the PSU to select the account(s) and the access Level on the ASPSPs’ domain or system during the (redirect or decoupled) authentication procedure with the ASPSP. The following access levels are possible:

  1. Accounts list only
  2. Accounts list with balances
  3. Accounts list with balances and transactions

An option for the implementation of the redirect screen is to pre-populate all accounts and full access levels and give the PSU the ability to deselect accounts or access levels.

A single TPP highlighted concerns whether it is allowed to let the PSU determine not only the accounts but also the access level per account. Other TPPs feel strongly about keeping this feature. Additionally, ASPSP that do not offer the selection of the access level per account by the PSU, were asked by TPPs to offer this.

The Berlin Group standards define 3 different consent workflows:

  1. Detailed Consent – The TPP sends a consent request on dedicated accounts and access levels.
  2. Bank Offered Consent – The TPP sends an empty consent request without indication of accounts, the PSU can select the accounts and access levels on the ASPSP’s re-direct page or mobile-app in case of the de-coupled SCA approach.
  3. Global Consent – The TPP requests full access to all PSD2 accounts, the PSU can only accept all or nothing

Reasoning for the 3 Models:

  1. The Detailed Consent is used by TPPs that already know the IBANs of the PSU’s or for the renewal of consent after 90 days.
  2. The Bank Offered Consent fulfill the requirement to select the accounts and access levels on the ASPSPs’ domain during the authentication procedure and is in line with Requirement #36 in the EBA Opinion on obstacles under Article 32(3) of the RTS on SCA and CSC.
  3. The Global Consent give the TPP full access to all PSD2 account after a successful SCA. The user has no option to restrict access, he only has the option of rejecting the full consent request.

This issue is decided differently by each Member State NCA.

Date of submission:
19/10/2021
Published as Final Q&A:
14/10/2022
Final Answer:

In accordance with Article 32(3) of the Commission Delegated Regulation (EU) 2018/389, any checks by the account servicing payment service provider (ASPSP) of the consent given by the payment service user (PSU) to an account information service provider (AISP) to access the information on the PSU’s payment account(s) held with the ASPSP is considered an obstacle to the provision of account information services.

It follows from this that if the ASPSP requires the PSU, as part of the authentication step on the ASPSP’s redirect page, to select the scope of the information to be accessed by the AISP, this would constitute an obstacle under Article 32(3) of the Delegated Regulation if the information to be accessed has been already transmitted by the AISP to the ASPSP, as in such case the ASPSP would be verifying the scope of information to be accessed as agreed between the PSU and the AISP.

Moreover, in such case, if the PSU can change the scope of the information to be accessed by the AISP on the ASPSP’s redirect page, this may lead to a situation where the scope of the data accessed by the AISP differs from the scope of data that was agreed between the PSU and the AISP for the provision of the account information service, which, in turn, would put the AISP in a position where it will not be compliant with the requirements of Article 67(2)(a) of Directive 2015/2366/EU (PSD2).

In the specific case where the PSU has not provided the scope of data to be accessed and the relevant account details to the AISP, and the latter has not transmitted them to the ASPSP, in line with the clarifications provided in paragraph 36 of the EBA Opinion on obstacles under Article 32(3) of the RTS on SCA&CSC (EBA/OP/2020/10) and Q&As 4854 and 5763, the PSU should be allowed to select the payment accounts and the scope of data on the ASPSP’s redirect page or mobile app. This would not constitute an obstacle to the provision of account information services under Article 32(3) of the Delegated Regulation. 

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA