Since 13 January, under the revised EU Payment Services Directive (PSD2), banks, building societies and other account holding institutions have been obliged to enable third party 'account information service providers' (AISPs) and 'payment initiation service providers' (PISPs) to access the payment account data they hold on customers, at those customers' request, to allow the businesses to provide the customers with their services.
Currently, depending on circumstances, those access rights are being exercised through the use of open application programming interfaces (APIs) or via so-called 'screen scraping' – a practice that some banks have previously raised security concerns about.
In time, however, banks and other payment service providers (PSPs) will be required to facilitate the third party access rights of AISPs and PISPs in accordance with new regulatory technical standards (RTS) on strong customer authentication and common and secure open standards of communication. Open APIs are being developed to implement those standards, which will not apply until 14 September 2019 in the main, while that work in the UK is interlinked with the country's own 'open banking' rules.
Banks cannot unjustly block AISPs or PISPs from accessing customers' payment account data where those third parties have the customers' consent to do so.
In a speech on Tuesday, Karina McTeague, director of retail banking supervision at the Financial Conduct Authority (FCA), said that while banks must be aware of their legal obligations in respect of data protection and consumer protection, and help customers protect themselves from the risks of fraud, they must present balanced information to customers in relation to regulated third party services available under the PSD2 regime.
"Banks and building societies should allow their customers to make use of AIS and PIS in relation to those payment accounts without penalty, including allowing their customers to share their credentials," McTeague said. "Their customer communications should be balanced, and not seek to dissuade customers from using third party AIS or PIS providers through their communications or terms and conditions."
"I want to emphasise this point. Banks and building societies are an important source of information for customers about these new services. They need to fulfil that role in a balanced and socially responsible way," she said.
McTeague provided examples of the type of information that banks might include in their customer communications.
She said banks might provide "balanced information about sharing banking and security credentials", and distinguish between regulated AISPs and PISPs and those providers that operate unregulated services in doing so. They could also explain that some third parties are able to legitimately provide their services on an unregulated basis until the RTS take effect, she said.
Banks might also explain that they "treat all AIS and PIS providers objectively and fairly, within the spirit of the legislation and in the interests of the customers in question", she said.
Customers could also be provided with information about credentials sharing – a practice that some third parties require customers to engage in to access their services through screen scraping, McTeague said.
The banks might explain that they will "permit access through credential sharing, until they have an alternative means of allowing AIS and PIS providers to access those accounts", but that they will deny access in cases where it suspects fraud or unauthorised access to accounts, she said.
Banks might also explain that customers will be able to go to them for reimbursement, in the first instance, "in the event that something goes wrong, such as a payment is misdirected or there is an unauthorised transaction", McTeague said.