PSD II - Account Information Services
Account Information Services in the proposal for the Payment Services Directive II
The review of the Payment Services Directive (2007/64/EC, "PSD") has initiated a discussion on the status and future of account information services ("AIS" or "account robots"). This is when a third party authorized by the account holder processes information available in the user’s online banking facility to provide financial intelligence and new functionalities not available from the account provider (typically a bank). These types of services are actively used by millions of users in Europe and also worldwide.
WHAT IS IT EXACTLY?
An account robot is a range of IT services for account holders that facilitate smarter use of traditional financial services.
By combining the intelligence and ubiquity of today’s IT data mining tools and standardised on-line banking facilities, an account robot engages the information cumulating rapidly on account to provide end users substantial new efficiency directly or via value added services of third parties.
HOW IT WORKS?
An account robot accesses the account via online banking on behalf of the user (it logs into the account like a normal user does) or through a specific channel provided by the account operator.
The account robot infrastructure extracts and reprocesses the available account information (balance, transactions, recipients - depending on the extent of authorisation from the user) to present the account content to the user or third party designated by user. The user is provided with new facilities not available from the account provider, including expenses tracking, accounts aggregation, mirroring the current account setup when opening new account, verification of creditworthiness, confirmation of identity.
ACCOUNT ROBOT LIFE APPLICATIONS
ACCOUNT AGGREGATION: A balance of multiple accounts held by the user in various banks is presented instantly on one single webpage (the account robot page) or via a mobile application. The user has immediate access to complete information of his current financial standing, including deposits, current account balance, credit card balance, funds in transit between accounts.
EXPENSES TRACKING: Card transactions, credit transfers and direct debits are scanned to identify similar or recurring transactions. Totals for selected expense categories are presented to the user. The user is often for the first time made aware of their expenditure patterns and thus has credible information when planning their spending habits.
ACCOUNT COMPARISON: Fees charged to the account by the account provider, along with deposit and debit interest are scanned and presented to the user. The user is able to compare the fees of their account with other providers.
ACCOUNT SWITCHING: A user opening a new account may easily mirror the existing account setup (standing orders, predefined recipients, etc.) in the new account (this requires the account provider to cooperate with the account robot or to provide its own account robot or that account operator recognizes the generic messaging format declared by the third party account robot).
CREDITWORTHINESS VERIFICATION: When applying for credit facility instead of providing usual proof of stable income, the account holder allows the credit provider to screen the income on the current account (this requires the account provider to cooperate with the account robot or to provide its own account robot or that account operator recognizes the generic messaging format declared by the third party account robot).
IDENTITY CONFIRMATION: When accessing remote services requiring AML – level identity confirmation (investment services, insurance, account opening) the identity may be confirmed via an account robot (this requires the account provider to cooperate with the account robot or to provide its own account robot or that account operator recognizes the generic messaging format declared by the third party account robot).
WHO CAN USE
The account robot is available to account holders where online banking is available. Each account robot provider decides which account providers (nowadays primarily banks) and which type of account held in this provider are covered by the account robot. Usually once a specific account provider is covered the account robot is available both to consumers and professionals holding accounts in this provider.
Where the account operator does not provide a specific channel to communicate securely with external account robot providers, the user needs to provide account robot provider temporarily (for the period of the service) the login credentials to the account’s online banking facility.
Account robot providers usually protect users credentials by deploying the same measures as banks operating the account and removing the credentials immediately after the service is completed. The risk of credentials being leaked is therefore avoided. Users are usually encouraged to change the credentials once the account robot service has finished the tasks requiring access to the credentials.
Where the account operator provides a specific channel to communicate securely with external account robot providers the security is guaranteed twofolds. The account robot provider authenticates itself vis a vis the account operator; it is fully clear whether the actions on the account are performed by the user or by the account robot provider. Also,the account holder explicitly authorises the account robot provider vis a vis the account provider.
Where a specific communication channel is not available, the use of the account robot requires that the user discloses to the account robot the login credentials obtained from the account provider.
The payment services laws usually require the account / instrument holder to take all reasonable steps to keep their personalised security features safe (see Article 56 sec. 2 of the PSD). The terms and conditions of account and instrument providers tend to understand this wording as a power vested to the provider to prohibit unconditionally the disclosure of the login credentials to any third party (which is usually accompanied by the user’s liability for any actions of those third parties)
This understanding has not been assessed by any relevant authority across the whole of the EU. However, in a controversial case brought by German banks against a German payment initiation services provider, a German regional court (with concurrent opinion of the German Competition Authority) declared such understanding as not binding because of hampering competition. Despite the fact that the case does not explicitly refer to account information services, given that the core access principle remains the same for payment initiation services and account information services, the use of any of those services may not be deemed automatically a user’s failure to keep security features safe.
CONCERNS AROUND CURRENT APPROACH OF THE PSD II RELATED TO THE ACCOUNT INFORMATION SERVICES
Account information services become payment services under PSD II. Once PSD II is implemented into national legislation those services will transform into regulated services.
Despite clear indication in the PSD II legislative process that the new legislation provides legal certainty with respect to the status of account information services and strengthens the position of their providers, there are Member States which have practically prevented the authorized institutions from integrating those services into their market offering. This approach has been adopted in Poland. The competent authority for payment services providers (Komisja Nadzoru Finansowego – Financial Supervision Commission) prohibited banks in late 2014 from making use of account information services. Banks used to integrate account access tools into their e-banking systems in order to enable instant creditworthiness verification, account switching, and identity confirmation (for AML or other purposes). A decree issued by the PL FSC closed the market for those services. Similar developments have taken place in the Netherlands (judicial decree providing a provider to access accounts in one of the leading banks).
In light of those developments it is crucial that PSD II is in place as soon as possible and that the obligations of the Member States regarding the legal certainty of account information services / payment initiation services status once PSD II is passed are explicitly stated in PSD II. In line with established ECJ case law regarding the power of EU directives, once PSD II is passed the Member States must - regardless of the transition period - refrain from taking measures liable to seriously compromise the attainment of the result prescribed by PSD II (see cases: case C-129/96 Inter-Environnement Wallonie  ECR I-7435, paragraph 45, case C‑14/02 ATRAL  ECR I-4431, paragraph 58; case C-144/04 Werner Mangold  ECR I-10013, paragraph 67). There is no doubt that complete delegalization of a service the legality of which is unequivocally confirmed by the forthcoming directive is liable to seriously compromise the effect of this directive. With respect to PSD II most providers will find it hard to maintain the service on standby until it can be lawfully offered, so the supply of this service once it can be lawfully provided is entirely uncertain. This fact goes completely against the pro-innovative spirit of PSD II. This conclusion does not derogate the rights of the Member States to take advantage of the transition period for PSD II implementation. Each Member State still retains individually the exclusive power to decide when (within the transition period) the specific rights and obligations related to account information services enter into force (e.g. when the provider becomes equivalent to a payment institution and in consequence enjoys the same rights, including access to payment systems and access to accounts maintained with a credit institution – art 29-29a of PSD II). The core powers of the Member States are thus not derogated by the reasoning presented above.
In order that the single market for payments services is duly respected the concerns highlighted above have to be addressed in PSD II. The need to address those concerns is all the more urgent because PSD II addresses them in relation to payment initiation services. Though account information services have mostly been discussed together with payment initiation services and eventually both become payment services under PSD II, PSD II addresses the concerns related to the transition into regulated services only with respect to payment initiation services (see recital 18, which touches exclusively upon payment initiation services: “…Pending the application of these rules, without prejudice to the need to ensure the security of payment transactions and customer protection against demonstrable risk of fraud, Member States and the Commission, should guarantee fair competition in this market avoiding unjustifiable discrimination against any existing player on the market.”). To ensure a level playing field for payment initiation services and account information services similar wording needs to be adopted in the relevant recitals.
Concerns arise additionally around the references of the PSD II to the AIS. Account information services have managed to prove in practice that their potential to improve the efficiency of financial services is substantial. This includes creditworthiness verification, account switching, and identity confirmation (for AML or other purposes). Further applications are expected in future, triggered by the users’ needs communicated to the financial services industry. PSD II mostly takes account of this broad potential and remains neutral about the technology of account information services and application of this technology by referring to “services requested by the user” (article 59.2.f) or “information requested through an account information service provider” (article 87.1c), “access and use the information on the payment services user account” (recital 51). This clear picture, consistent with the spirit of PSD II, becomes less certain due to references to “aggregated online information on one or more payment accounts“ (recital 18a), “service to provide consolidated information on one or more payment accounts” (article 4.33), “information from designated payment accounts” (article 59.2.d).
To ensure unquestionable clarity regarding the highly sensitive issues of account access the spirit of PSD II has to be enforced by confirming clear priority of the technology - and application - neutral approach to account information services in PSD II. This approach requires that the PSD refers to services and/or information requested or designated by the user through an account information service provider.