The Federal Cartel Office (FCO) said that the terms and conditions of the German Banking Industry Committee hinder the development of new payment services.
The rules prevent bank customers from using their bank PIN (personal identification number) and TAN (transaction authentication number) in non-bank payment systems to allow access to third-party systems.
This has impeded the use of new payment systems for the purchase of goods and services online, the FCO said.
"The providers of these payment solutions have developed an offer of services which provides a lower-priced alternative to the payment solutions already established in the market and have responded to the needs of online customers and sellers for a cheap and fast payment option," the FCO said.
Andreas Mundt, president of the FCO, said: "The online banking conditions of the German Banking Industry Committee hinder the offer of new and innovative services in the growing market for payment services in the e-commerce sector. In essence, it is about whether non-bank payment services can also use PINs and TANs. We have taken careful consideration of the justified interest of the banking industry that security in online banking has to be safeguarded. However, the rules currently used cannot be considered as a necessary part of a consistent security concept of the banks and they impede non-bank competitors."
Under the new EU Payment Services Directive (PSD2), which came into force in January and which will need to be implemented into national laws across the EU by early 2018, banks and other payment service providers (PSPs) must give so-called payment initiation service providers (PISPs) access to their customers' accounts so as to facilitate transactions ordered at the customers' request. However, in return, PISPs must observe a number of data security obligations and take on certain liabilities in relation to any unauthorised transactions they are responsible for.
PSD2 also promotes account information services, like businesses that allow customers to access information about all their payment accounts in one place. The new rules require PSPs to open up access to the accounts they manage on behalf of a customer where the account information service provider (AISP) has obtained the "explicit consent" of that customer for such access. Like PISPs, AISPs also face data security obligations.
The FCO has "limited its intervention to declaring the illegality of the clauses objected to". It said it has "suspended the immediate enforceability of its decision" at the request of the organisations involved in the case.
Parallel ongoing civil proceedings and deliberations on a reform of the law "will benefit from the [FCO's] detailed legal interpretation based on its official investigations", it said.