Since the introduction of the PSD1, various e-commerce services have been developed in the market, with which customers can make payments from their checking account from in webshop. Services have also been introduced with which customers can obtain an online overview of all their checking accounts that they hold at different banks. This allows the customer to gain immediate insight into his financial situation at any time. Such services on payment accounts that third parties offer have not been covered by PSD1. The PSD2 now explicitly covers these services, so that matters such as customer protection, security of services, liability in the event of incorrect processing and fair competition are regulated through clear regulations. The PSD2 distinguishes the following services:
- Payment initiation services through a payment initiation service provider as a third party
- Account information services via a service provider account information as a third party
The third parties that want to offer the aforementioned services must have a payment institution or bank license and therefore fall under the supervision of the central banks. Another important requirement is that the payment initiation service provider and the account information service provider never own the money of the customer, for the provision of the aforementioned services.
Payment initiation services by Third Parties
Banks must make it possible for third parties to gain access to their customers’ payment accounts for the purpose of initiating payment transactions for these customers. However, this only applies if the payment accounts can be accessed online via their own bank, i.e. via the internet or a mobile application. Strictly speaking, this also applies to freely withdrawable savings accounts, whereby it is possible to initiate online transfers from these accounts.
If the initiation of payment orders goes through a so-called payment initiation service provider, this third party must pass on the authorization of these payment orders to the banks where the payers hold accounts. The third parties do not have to conclude new contracts with these banks for this. The existing authentication and authorization means, which support the banks in their own channels for initiating payment orders, may be used for this. If a third party nevertheless wishes to use its own means of authentication and authorization, a contract with the bank is required. A bank may refuse this. All of these resources must, however, meet the requirements for strong customer authentication, which means that they must be based on two or more of the following factors:
- Knowledge (something only the user knows), for example a PIN code
- Possession (something only the user owns), for example a debit card
- Inherent property (something the user is), for example biometrics like a fingerprint or iris scan
In addition, when initiating a payment order, strong customer authentication must also include elements that dynamically link the transaction with the amount and beneficiary of the transaction. In other words, this means that if the amount or beneficiary of the transaction changes, this leads to a different result of strong customer authentication. This reduces the risk of fraud. The PSD2 asks the EBA in consultation with the ECB and in consultation with the market to further develop the technical standards for this. The Technical Regulatory Standards to be delivered on authentication and communication also state the situations that are exempt from the strong customer authentication requirements. This concerns, for example, transfers to a closed list of trusted beneficiaries or transfers to your own account within the same bank.
The PSD2 is not very explicit in which type of payment transactions a customer can initiate via a payment initiation service provider for his checking account at his bank. These are in any case transfers and periodic transfers. However, the definitions in the PSD2 do not exclude that a creditor can also offer collection transactions through a payment initiation service provider. In addition, the PSD2 indicates that a customer may revoke his authorization for a payment order, provided that the execution date has not yet been reached (scheduled transfer or a future direct debit). However, the relevant article does not explicitly indicate that a customer can withdraw this via a payment initiation service provider. However, Article 66 (4) (c) also states that the accountable payment service provider may treat payment orders initiated through a payment initiation service provider in a non-discriminatory manner compared to payment orders initiated directly through its own bank channels. Although not explicitly stated, this can also be interpreted as meaning that if the customer has the option of withdrawing a payment order to be executed via the bank channel in the future, this option must also be able to be offered via the payment service provider. From a customer perspective, this is desirable.
The data exchange between the payment initiation service provider and the accountable payment service provider must be based on the ISO20022 standards. The bank must also feed back the same status information about the execution of the payment order to the payment initiation service provider that also takes place via its own bank channels.
For the way in which parties identify themselves to each other, two options are proposed with a preference for (option 1) website certificates issued by a so-called qualified trust service provider under the eIDAS framework (Claim 910/2014).
Account information services by Third Parties
Banks must make it possible for third parties to gain access to their customers’ payment accounts for requesting account information from these customers. Also for this service it applies that this only applies to payment accounts that can be accessed online via their own bank, i.e. via the internet or a mobile application. The freely withdrawable savings accounts, which can be viewed online by the customer, should therefore also be accessible through a third party. From a customer perspective, this is also desirable, because this expansion of the PSD precisely aims at giving the customer a total overview of his financial situation.
To unlock account information via a third party, strong customer authentication is also required. The existing authentication and authorization means, which support the banks in their own channels for access to the payment account, can be used for this. The account information service provider therefore does not have to conclude a contract with the accountant payment service provider to provide account information services to the customers of this payment service provider.
The accountant payment service provider must handle third party account information requests in the same way as similar requests through its own bank channels. The same information must be disclosed with a comparable service. In any case, the following information must be available:
- Balance of the payments account
- Transactions from and to the payments account
- Transaction details associated with the processed transactions
The information requests and responses must be exchanged by the account information service provider and the accountable payment service provider via ISO20022 standard messages.
> 7. Access to payment account (part 2/2) – Authentication by customers