As you may know, the PSD2 (follow this link for the legal details) formalizes and regulates a number of payment services (namely Payment Initiation Services (PIS) and Account Information Services (AIS)), provided by third party payment service providers (TPPs) to banks' customers.
One of the reasons put forward by the European Commission for regulating these existing services is customer protection. In the sense that PIS and AIS used to be provided by the TPPs sometimes in an unsecured way (no strong customer authentication, sharing of customers' credentials with unregulated actors). Another important reason highlighted by the European Commission to incorporate PIS and AIS within the scope of PSD2 is that it allows TPPs across Europe to compete on a level playing field and that it should foster innovation.
PSD2 contains requirements for the banks (ASPSPs) to make their customers' account information available to TPPs under certain conditions, allowing the TPPs to continue (or start) providing their PIS and AIS. These requirements are usually referred to as the Access to Accounts part (XS2A) of the PSD2.
In short, the TPPs should access bank accounts:
- Through secured and dedicated interfaces (mostly APIs), built and offered to the TPPs by the ASPSPs;
- With the explicit consent of the payment service users (PSUs);
- In accordance with EBA's regulatory technical standards (follow this link for the details).
- By identifying themselves based on a qualified certificate delivered by a trusted provider (QTSP), following the completion of a licensing process with a competent authority (see also this other article in our knowledge base).