The law is changing. Following the introduction of the EU Payment Services Directive (PSD2) from 13 January 2018, online services that you allow to access your account data or make payments on your behalf will be regulated by the Financial Conduct Authority.
With your consent, these services can allow you to see all your bank accounts in one place in a mobile app or online. They can also be used to pay for things online, as an alternative to using your debit or credit card.
You might see these services being provided by companies you recognise, such as high street banks, or by other companies who are not banks. There are already a number of companies providing these services in the UK which will need to be regulated.
You may see these services referred to as Account Information Services (AIS) or Payment Initiation Services (PIS).
Bringing these services into regulation means businesses providing them will need to meet requirements designed to protect customers including from financial and data loss.
Who can provide these services?
From January 2018, companies that are authorised or registered by the Financial Conduct Authority, or another European regulator, can provide AIS or PIS.
The FCA and other European Regulators will add AIS and PIS providers to the registers they keep of all authorised businesses. These registers are publically available.
You should be aware that companies that have been providing these services since before 12 January 2016 do not need to be authorised by the FCA until the end of 2019, so may not appear on the FCA’s register until a later date.
Before you use one of these services be alert, and make sure you are confident that any organisations you share your information with are who they say they are. You should make sure that you understand the service and that you are happy with who will be providing it to you.
Giving consent for access to account data
When you sign up with a company for account information services, the AIS provider should give you enough information to understand the nature of the service being provided and how it will use your data, including whether it will share your data with anyone else.
Sharing security details
Currently, businesses that provide AIS and PIS often ask you to share your bank security details with them, such as your login and passwords.
Under existing data protection law, these businesses must protect your data and PSD2 will require these businesses to put further measures in place to keep your credentials safe and secure.
Your banking terms and conditions should not prevent you from sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.
If you notice a payment out of your account that you did not authorise, you should contact your bank as soon as possible. If you did not authorise it you can claim a refund. You should contact your bank to claim a refund even if you think a PIS was used to make the payment.
Making a complaint
You have the right to complain to an AIS or PIS provider if you have a problem with the service they are providing. They must respond to your complaint within 15 days unless there are exceptional circumstances.
If you are not happy with the firm’s response, they reject your complaint or you do not hear from them, you have the right to take your complaint to the Financial Ombudsman Service.
If your complaint is about something your bank has done, for example if a bank has refused to refund an unauthorised payment, you should contact the bank to make a complaint. You have the same right to take your complaint to the Financial Ombudsman Service.
How to protect yourself
We want consumers to enjoy the full benefits that these changes can bring, however there are some important things you should be aware of.
- Be alert - you should be vigilant to fraud when using online payment initiation or account information services. If you don’t know who you are talking to, or there is reason to suspect that the provider is not who they claim to be, don’t disclose your banking security credentials, or other personal or financial information.
- Read the details - always read the terms and conditions of a provider of financial services carefully before signing up, this includes the terms and conditions of AIS and PIS providers.
- Be data savvy - make sure you understand and agree with what access you are granting to your account, how the account information will be used and who it may be passed to.
- Check your statements - keep an eye on your bank statements and get in touch with your bank if you don’t recognise a payment.
Companies that access your data need to comply with data protection law. Banks, building societies and other payment services providers, including AIS providers, will be subject to data protection law as well as the requirements of PSD2.
If you have a concern about a breach of data protection law, you can contact the Information Commissioner’s Office.