A spokesperson for the Association of German Banks (BdB) confirmed to Out-Law.com that the appeal had been filed.
The BdB previously intimated its intention, together with the Association of German Cooperative Banks (BVR) and the German Savings Banks Association (DSGV), to appeal the ruling before a regional court in Düsseldorf.
The Federal Cartel Office (FCO) said in early July that general terms and conditions imposed by banks in relation to the use of online banking services by customers were in breach of competition rules. The terms prevent bank customers from using their bank PIN (personal identification number) and TAN (transaction authentication number) in non-bank payment systems to allow access to third-party systems.
The terms have impeded the use of new payment systems for the purchase of goods and services online, the FCO said.
In an earlier statement the trade associations said they "reject the ruling" of the FCO and defended the restrictions banks impose as being "in the interests of the customer and the bank".
"The terms and conditions currently in use were recommended by the banking associations to their members in 2009 and set out, among other things, customers’ obligations not to disclose their PIN or TAN," the statement said. "The [FCO] takes the view that this unfairly obstructs online payment services which use the customer’s PIN and TAN. The affected associations do not share the assessment of the competition authority and will appeal the ruling in the Düsseldorf Higher Regional Court."
"The clauses are in the interests of the customer and the bank because their sole purpose is to make online banking secure and ensure data protection. They require customers to protect the PIN and TAN assigned to them by their bank from being accessed by third parties. Otherwise, there is a risk of these 'keys' to their account being used to gain unauthorised access to account data and for fraudulent transactions," it said.
Under the new EU Payment Services Directive (PSD2), which came into force in January and which will need to be implemented into national laws across the EU by early 2018, banks and other payment service providers (PSPs) must give so-called payment initiation service providers (PISPs) access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and take on certain liabilities in relation to any unauthorised transactions they are responsible for.
PSD2 also promotes account information services, like businesses that allow customers to access information about all their payment accounts in one place. The new rules require PSPs to open up access to the accounts they manage on behalf of a customer where the account information service provider (AISP) has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.