EU regulators conduct unannounced inspections in market for online access to bank account information

The inspections were carried out "in a few member states" on 3 October, the Commission said in a statement. According to the Financial Times, bank industry trade associations in Poland and the Netherlands were among the organisations whose offices were visited by the regulators.

The Commission said it has concerns that some businesses and/or trade bodies "may have engaged in anti-competitive practices in breach of EU antitrust rules that prohibit cartels and restrictive business practices and/or abuse of dominant market positions".

These alleged anti-competitive practices are aimed at excluding non-bank owned providers of financial services by preventing them from gaining access to bank customers' account data, despite the fact that the respective customers have given their consent to such access," it said.

“Any agreement or understanding reached between banks to limit or delay access to the data required may breach the rules prohibiting anti-competitive agreements," said competition law expert Alan Davis of Pinsent Masons, the law firm behind Out-Law.com. "The banks and the trade associations could be subject to penalties and even follow-on damages actions if market foreclosure is found to have caused material loss to third parties. On the other hand, the banks and trade associations may seek to argue that either they have restricted access on the basis of legitimate data protection concerns."

Robert Eriksson, competition law expert at Pinsent Masons, said: "There is no indication that there are any similar concerns in the UK but there is increasing scrutiny of the payment services market. The Payment Systems Regulator (PSR) recently carried out market reviews that covered payment services and systems in the UK and the PSR’s competition law enforcement powers apply more broadly to any payment system active in the UK. It is likely that this EU investigation will cause the PSR to monitor carefully the position in the UK."

The Commission's inspections, which were carried out in cooperation with national regulators, follow on from concerns raised last year by the Federal Cartel Office (FCO) in Germany.

At the time, the FCO said that terms and conditions used by the German banking industry in relation to online banking restrict competition and violate both German and EU competition law. Those rules prevent bank customers from using their bank PIN (personal identification number) and TAN (transaction authentication number) in non-bank payment systems to allow access to third-party systems. The FCO said this had impeded the use of new payment systems for the purchase of goods and services online.

However, three bank industry trade associations in Germany lodged a court appeal against the FCO's ruling

Account information service providers (AISPs) are among the new batch of financial technology (fintech) companies to have emerged into the payment services market in recent years.

The services AISPs provide can take a variety of forms, but in essence they help consumers to gain an overview of their financial situation by aggregating information from one or more of their payment accounts and displaying that data in a way that is easy for consumers to understand and base decisions on.

To-date, AISPs have relied predominantly on 'screen scraping' measures to access customers' bank account information and display it in the services they offer. However, AISPs are set to gain new rights to access this information when the revised Payment Services Directive (PSD2) takes effect. PSD2 must be in force in national law across the EU by 13 January 2018.

Under the new PSD2 regime, banks and other payment service providers (PSPs) that provide account services directly to consumers and businesses – 'account servicing payment service providers' (ASPSPs) – will be obliged to allow AISPs to access the account information they hold at the explicit request of customers on a non-discriminatory basis. Only in select cases, such as where ASPSPs suspect a fraud risk, will that access be able to be denied.

In return, AISPs will be brought within the scope of regulation for the first time. Among the obligations they will face will include rules on keeping data secure.

"To date, UK banks have been concerned about access too – most UK bank account T&Cs will prohibit the sharing of credentials and PIN details," said payments and technology law expert Angus McFadyen of Pinsent Masons. "Whilst the concern remains, banks are now issuing updates to their T&Cs which align with the intent of PSD2 and remove these restrictions."

"With these updates coming through, we’ve seen rising concern among some consumers who are unsure about why this is happening at all and who will be able to access their data. Clear customer messaging is vital, both for the banks and the new entrants, in articulating the benefit that these AISPs and payment initiation service providers (PISPs) can bring," he said.

"Whilst there’s lots of talk about how AISP and PISP services are new, we should remember that there only new to regulation – there’s a live market for these services that has been operating in the UK for years, and it currently supports millions of consumer and business users," McFadyen said.