PSD2: BaFin publishes fact sheet on account access interfaces
Written By
Partner
Germany
As co-head of the global Finance & Financial Regulation Practice Groups and head of the German Finance & Financial Regulation Practice Group, I advise on national and international finance and capital markets law as well as on commercial and corporate law. I am also a member of the international steering group of our Financial Services Sector Group.
Partner
Germany
As partner in our Finance & Financial Regulation Group in Frankfurt, I advise our national and international clients on banking regulatory issues and finance law.
Associate
Germany
As an associate in our Finance & Financial Regulation Practice Group located in Frankfurt, I advise international and national clients on regulatory issues and finance law.
Related
Practices
Sectors
Regions
Countries
BaFin publishes its administrative practice as a leaflet on the granting of an exemption from the provision of a fallback option under Article 33(6) of Delegated Regulation (EU) 2018/389.
Background
Before the PSD2 (Directive (EU) 2015/2366) and its implementation in the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, ZAG) came into force, payment initiation service providers (Zahlungsauslösedienstleister, PISP) and account information service providers (Kontoinformationsdienstleister, AISP) used the account holders' online banking access data to provide their services to the account holders (so-called screen scraping). The disclosure of this sensitive data was generally excluded by the general terms and conditions of the account-holding institutions. Even though Germany’s Federal Court of Justice (BGH) considers a contractual prohibition to be inadmissible under cartel law, access to the account holders' access data by third parties is not desirable due to the risks involved. Although PISP and AISP had access to their customers' accounts, they were not regulated before the PSD2 implementation.
Now that PISP and AISP are regulated, it was also stipulated, among other things, that these third-party payment service providers must be able to access the required data at the account-holding payment service providers through a dedicated interface - for example via API (application programming interface). However, the introduction of these dedicated interfaces caused some difficulties (see our Client Alert).
If these dedicated interfaces are not accessible, the Delegated Regulation (EU) 2018/389 of the European Commission stipulates that account servicing payment service providers (ASPSP) must provide the third party payment service providers (TPP) with a fallback option. ASPSP can be exempted from the obligation to provide such a fallback option if they fulfil certain conditions. BaFin had already published an application form for exemption in 2019 and instructions on how to apply in 2021. The new BaFin leaflet now summarises BaFin's administrative practice on this exemption.
Exemption from the obligation to establish the fallback option
BaFin sets out the requirements for an exemption from the obligation to set up the fallback option in its information sheet. In doing so, BaFin regularly refers to the Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC (EBA-OP-2018-04) (see our Client Alert) as well as the related EBA guidelines (EBA/GL/2018/07). These pan-European guidelines are an essential part of BaFin's practice.
The requirements that BaFin now presents are divided into the following topics:
a) the dedicated interface complies with all the requirements set out in Delegated Regulation (EU) 2018/389 (in particular the requirements for a dedicated interface set out in Art. 32 and the general requirements for access interfaces set out in Art. 30);
b) the dedicated interface has been designed and tested to the satisfaction of the payment service providers using the dedicated interface;
c) the dedicated interface has successfully undergone a market trial period of at least three months; and
d) all problems related to the dedicated interface were raised immediately.
Requirements of the Delegated Regulation
BaFin emphasises that the Delegated Regulation imposes various requirements. Here, BaFin emphasises the following points in particular:
- The dedicated interface shall have all the functions set out in Table 1 of the EBA Opinion.
- The service level, performance and availability of the dedicated interface must, according to the institution's internal specifications, be at least at the same level that the institution applies to the customer interfaces.
- In practice, too, the performance and availability of the dedicated interface must keep pace with those of the customer interfaces. However, minor deviations that customers do not notice are harmless.
- The ASPSP must compile statistics on the performance and availability of the dedicated interface and publish them on the website.
- The performance must have been proven by stress tests.
- There must be no obstacles that the EBA has named in its opinion. BaFin lists exemplary obstacles, e.g. the need to manually enter the IBAN of the payment account, necessary pre-registrations, or the need for the payment service user to authorise the use of PISP/AISP via online banking (so-called ex-ante consent).
Satisfaction of the PISP/AISP
The dedicated interface must be designed to the satisfaction of the PISP and AISP. This does not mean, however, that there must be a positive approval by the PISP and AISP, but only that BaFin has not received any justified complaints.
For the design of the dedicated interface, BaFin refers to the requirements of the EBA Opinion and the EBA Guidelines.
BaFin emphasises that set standing orders as well as the name of the account holder must be retrievable by AISPs. In addition, a payment service user must be able to allow a AISP to retrieve the account data four times a day for 90 days without a new strong customer authentication.
Market probation phase
In order for an account servicing payment service provider to be exempt, it must go through a three-month market trial period. During this time, the dedicated interface must be used extensively. BaFin therefore requires the submission of current usage figures as proof.
However, low usage figures do not exclude the possibility that the market proofing phase will be successfully completed. Especially in the case of smaller institutions, the interest of the PISPs and the AISPs in using it may be low. In these cases, it is sufficient for the institution to publicise the possibility of use.
BaFin publishes the institutions that are in the market probation phase on its website, stating the start of the market probation phase.
Problem solving
The account-holding payment service providers must rectify possible problems with the dedicated interface without culpable hesitation. In addition to a confirmation by the ASPSP in the application form, BaFin relies on possible complaints by PISP and AISP. Insofar as no justified problems have been reported by the PISP and AISP using the interfaces in their complaints against an account servicing payment service provider, BaFin assumes that all problems with the dedicated interface have been rectified without delay.
Conclusion
The now published requirements of BaFin are not news. Nevertheless, it is welcome that BaFin's administrative practice is summarised in a central document. This makes it easier for ASPSP to submit applications to BaFin in such a way that rapid processing is possible.
