Find out more about new regulated payment service activities under PSD2.
As part of promoting the development and use of innovative online payment services, PSD2 brings two types of payment services activity under regulation for the first time - account information and payment initiation services.
Firms offering payment accounts accessible on-line must allow third-party providers to access users’ accounts (with these users' explicit consent). These third parties – providers of account information services (AISPs) and payment initiation services (PISPs) - will be regulated under PSD2 with corresponding permissions and obligations.
Account Information Services
Under PSD2 an ‘account information service’ is an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers. These services already exist in the UK, however, PSD2 will bring them within the scope of regulation; ensure that AISPs can receive access to payment accounts and place requirements on them to ensure security for users.
Payment Initiation Services
Under PSD2, a ‘payment initiation service’ is an online service which accesses a user’s payment account to initiate the transfer of funds on their behalf with the user’s consent and authentication. Payment initiation services provide an alternative to paying online using a credit card or debit card.
These services are not widely used for online payments in the UK, but are used in other European countries. The new rules will bring payment initiation services within the scope of regulation; ensure that PISPs receive access to payment accounts and place requirements on them to ensure security for users.
Providing access to customers’ payment accounts for providers of AIS and PIS
Firms that provide ‘payment accounts’ to their customers that are accessible online will have to give AISPs and PISPs access to these accounts, with the user’s consent and authentication. Under PSD2, providers of payment accounts are referred to as ‘account servicing payment service providers’ (ASPSPs).
Expectations for the third party access provisions in PSD2
The European Banking Authority is responsible for developing regulatory technical standards which will introduce common and secure standards for communications between ASPSPs and AISPs or PISPs. These technical standards are expected to take effect from Q3 2019. We issued a joint communication with the Treasury which sets out our expectations of firms in the pre-RTS period.
The joint communication also reflects our views around the use of application protocol interfaces (APIs) standards, such as those being developed by the Open Banking Implementation Entity, as the basis on which secure access to payment accounts could be provided in future.
Our role in regulating AIS and PIS providers
We will be responsible for ensuring AISPs and PISPs are registered or authorised. For firms that only carry on account information services, there is an option to become a ‘registered account information service provider’. These providers will have no capital requirements and will need to meet fewer conditions than authorised firms. Businesses that provide payment initiation services must be authorised and must have a minimum of €50,000 in initial capital (or higher if they provide certain other payment services). Both AISPs and PISPs will have to hold professional indemnity insurance (PII). The EBA has developed Guidelines on PII.
Read the EBA guidelines on PII.