- Question ID
-
2023_6752
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
1
- Subparagraph
-
d
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
30(1), 31, 33
- Name of institution / submitter
-
Tides Broniarek Makowski Radcowie Prawni S.K.A.
- Country of incorporation / residence
-
Poland
- Type of submitter
-
Law firm
- Subject matter
-
Eligibility of communication by AISPs with ASPSP throughout two access interfaces in parallel
- Question
-
Question no 1:
Do art. 30(1), art. 31 and art. 33 of the Commision Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (”RTS”) should be interpreted in that manner, that in scenario, where account servicing payment service provider (”ASPSP”) has introduced a so-called dedicated interface within a meaning of art. 31 RTS, which meets requirements provided for in art. 32 and 33 RTS, than ASPSP has a right and it is up to ASPSP’s sole discretion, whether, for purposes of communication with account information service providers (”AISPs”), to:
- make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs); or
- make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS)?
Question no 2:
If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has a right and it is up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs), does this mean that AISPs, with observation of further requirements set forth in art. 30, art. 34 and art. 35 RTS, might communicate with this ASPSP, in parallel, throughout both access interfaces?
Question no 3:
If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS), does ASPSP is under obligement to engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs?
Question no 4:
If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures as set forth in art. 33 RTS) but nevertheless ASPSP has not engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs, does this fact in any measure reflects AISPs right to communicate with this ASPSP throughout both access interfaces, or whether AISPs should undertake any additional actions, and if yes, what kind of actions?
- Background on the question
-
RTS provisions in several places refers to requirement for ASPSPs to offer to AISPs access interface (one access interface) or interfaces (several access interfaces).
For example, art. 30(1) RTS states, that: ”Account servicing payment service providers that offer to a payer a payment account that is accessible online shall have in place at least one interface […]”.
Further on, art. 30(6) RTS says, that: ”Competent authorities shall ensure that account servicing payment service providers comply at all times with the obligations included in these standards in relation to the interface(s) that they put in place. […]”.
In addition, art. 31 RTS stipulates, that ”Account servicing payment service providers shall establish the interface(s) referred to in Article 30 by means of a dedicated interface or by allowing the use by the payment service providers referred to in Article 30(1) of the interfaces used for authentication and communication with the account servicing payment service provider's payment services users.”.
On top of that, point 20 of RTS recitals provides for, that: ”Each account servicing payment service provider with payment accounts that are accessible online should offer at least one access interface [...]. To ensure technology and business-model neutrality, the account servicing payment service providers should be free to decide whether to offer an interface that is dedicated to the communication with account information service providers, payment initiation service providers, and payment service providers issuing card-based payment instruments, or to allow, for that communication, the use of the interface for the identification and communication with the account servicing payment service providers' payment service users.”.
As clearly comes from above quoted provisions, RTS requires from ASPSPs to maintain at least one access interface (art. 30(1) RTS, point 20 of RTS recitals), which do not prevent ASPSPs to possess more than one access interface (art. 30(6) RTS, art. 31 RTS).
However, RTS does note refer and does not rule out, whether in scenario, where ASPSP offers more than one access interface within a meaning of art. 31 RTS, i.e. (i) dedicated interface or (ii) interface used for authentication and communication with the ASPSP's payment services users, such ASPSP is allowed to make available to AISPs, in parallel, two access interfaces, or, in contradiction, make available to AISPs only dedicated interface (without prejudice to contingency measures set forth in art. 33 RTS).
Lack of such clear cut regulation invokes interpretation divergences and ambiguities among market participants. Namely, in scenario, where ASPSP decided to establish two access interfaces, this is ambiguous, whether ASPSP is allowed to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS or to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS).
Abovementioned issue rises further concerns on AISPs’ side, where AISPs are not certain, whether in scenario, where on factual level, ASPSP makes available to AISPs two access interfaces, AISPs might utterly rely on such decision of ASPSP (i.e. to make available to AISPs two access interfaces at the same time), or whether in this scenario AISPs should undertake any additional actions, and if yes, what kind of actions (for instance to communicate with ASPSP only throughout dedicated access interface).
- Submission date
- Final publishing date
-
- Final answer
-
According to Article 30(1) of the Commission Delegated Regulation (EU) 2018/389, account servicing payment service providers (ASPSPs) that offer to their customers payment accounts accessible online must offer at least one access interface to account information services providers (AISPs) and payment initiation service providers (PISPs). Article 31 of the Delegated Regulation provides that ASPSPs “shall establish [such] interface(s) by means of a dedicated interface or by allowing the use by [AISPs and PISPs] of the interfaces used for authentication and communication with the [ASPSP's] payment services users”.
As clarified in Q&A 4681, this means that ASPSPs have a choice in accordance with Article 31 of the Delegated Regulation between (i) offering access to AISPs and PISPs via a dedicated interface; and (ii) allowing AISPs and PISPs to use the interface(s) used by its customers for accessing their payment accounts online.
This does not preclude the possibility of ASPSPs to make available to AISPs as a primary access interface both a dedicated interface that meets all the requirements in Articles 30, 32 and 33 of the Delegated Regulation, and also access via the interface(s) used by the ASPSP's customers for accessing their payment accounts online. In such case, AISPs should follow the technical specifications set out by the ASPSP when accessing the interface(s) provided by the ASPSP in accordance with Article 30(3) of the Delegated Regulation, and comply with their respective obligations under the PSD2 and the Delegated Regulation. Furthermore, in accordance with Article 67(3)(b) of PSD2, ASPSPs should treat data requests transmitted through the services of an AISP without any discrimination, other than for objectively justifiable reasons.
The above is without prejudice to the requirements regarding the contingency mechanism in Article 33(4) of the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.