The law is changing. When the EU Payment Services Directive (PSD2) was introduced on 13 January 2018, online services that you allow to access your account data or make payments on your behalf became regulated by the Financial Conduct Authority.
Account Information Services Provider (AISP) – what it does
An Account Information Service Provider (AISP) lets you see all your account information from different bank accounts in one place online or in a mobile app. AISPs can include budgeting apps and price comparison websites offering budgeting help and product recommendations. An AISP needs your explicit consent to provide you with these services.
Payment Initiation Service Provider (PISP) – what it does
A Payment Initiation Service Provider (PISP) lets you pay companies directly from your bank account rather than using your debit or credit card through a third-party such as Visa or MasterCard. A PISP needs your explicit consent before providing you with this kind of service.
Explicit consent – needed by AISPs and PISPs
Services offered by AISPs and PISPs may be called Account Information Services (AIS) and Payment Initiation Services (PIS). These may be provided by companies you recognise, such as high street banks, or by other companies who are not banks. They can only provide these services if you give them your explicit consent. A company providing these services should never assume your consent.
When you sign up with a company for account information services, the AISP should give you enough information to understand:
- the nature of the service
- how it will use your data
- whether it will share your data with anyone else
Checking AISPs and PISPs are registered with the FCA
Always check on the Financial Services Register that a company providing Account Information Services or Payment Initiation Services is registered or authorised before using it. Both AISPs and PISPs must be registered or authorised with us.
Companies that have been providing these services since before 12 January 2016 don’t need to be authorised by us until the end of 2019, so may not yet appear on the register.
You can also contact our Consumer Helpline on 0800 111 6768 to check if AISPs and PISPs are registered or authorised.
Be alert – before you use one of these services make sure you are confident that:
- organisations you share your information with are who they say they are
- you understand the service
The UK’s Open Banking Initiative
The banking industry is currently working on how to standardise the way data is accessed by AISPs and PISPs, including through ‘open banking standards’. See the Money Advice Service and The Open Banking for more information.
Sharing security details
Currently, businesses that provide AIS and PIS often ask you to share your bank security details with them, such as your login and passwords.
Under existing data protection law, these businesses must protect your data. PSD2 will require these businesses to put further measures in place to keep your credentials safe and secure.
Your banking terms and conditions should not prevent you sharing your credentials with regulated AIS or PIS providers. Your bank cannot hold you responsible for unauthorised transactions just because you have shared your credentials with regulated AIS and PIS providers.
If you notice a payment out of your account that you did not authorise, you should contact your bank as soon as possible. If you did not authorise it you can claim a refund. You should contact your bank to claim a refund even if you think a PIS was used to make the payment.
Making a complaint
You have the right to complain to an AIS or PIS provider if you have a problem with the service they are providing. They must respond to your complaint within 15 days unless there are exceptional circumstances.
If you are not happy with the firm’s response, they reject your complaint or you do not hear from them, you have the right to take your complaint to the Financial Ombudsman Service.
If your complaint is about something your bank has done, for example if a bank has refused to refund an unauthorised payment, you should contact the bank to make a complaint. You have the same right to take your complaint to the Financial Ombudsman Service.
How to protect yourself
We want consumers to enjoy the full benefits that these changes can bring, but there are some important things you should be aware of.
- Be alert – you should be vigilant about fraud when using online payment initiation or account information services. If you don’t know who you are talking to, or there is reason to suspect that the provider is not who they claim to be, don’t disclose your banking security credentials, or other personal or financial information.
- Read the details – always read the terms and conditions of a provider of financial services carefully before signing up. This includes the terms and conditions of AIS and PIS providers.
- Be data savvy – make sure you understand and agree with what access you are granting to your account, how the account information will be used and who it may be passed to.
- Check your statements – keep an eye on your bank statements and get in touch with your bank if you don’t recognise a payment.
Companies that access your data need to comply with data protection law. Banks, building societies and other payment services providers, including AIS providers, will be subject to data protection law as well as the requirements of PSD2.
If you have a concern about a breach of data protection law, you can contact the Information Commissioner’s Office.