Finansinspektionen would like to clarify the obligations of third-party payment service providers when gathering information about bank customers’ payment accounts via digital interfaces. FI has also contacted the banks and reminded them about their obligations as an account servicing payment service provider (ASPSP).
Third-party payment service providers (TPP) are firms that provide payment initiation services and/or account information services.
TPP:s must communicate with an ASPSP – most often a bank – through an interface designated by the bank. They must also identify themselves when requesting and receiving access to information about one or more specific payment accounts and related payment transactions. They may not obtain access to payment account information via the bank's customer interface without identifying themselves.
Neither may the TPP process more information than necessary for providing the specific payment service underlying the interaction.
The rules that apply in the area are set out in the EU's Second Payment Service Directive. The directive has been implemented in Sweden through amendments to the Payment Services Act (2010:751) and through Finansinspektionen's regulations FFFS 2018:4, FFFS 2018:5, FFFS 2018:6, and FFFS 2018:7, which entered into force on 1 May 2018.
Supplementary rules regarding interfaces entered into force on 14 September 2019 through Commission Delegated Regulation (EU) 2018/389.
FI has received indications that some TPP:s and ASPSP:s potentially do not meet their obligations with regard to the standards in the delegated regulation.
For TPP:s, there are indications that some do not use the interface as instructed by the ASPSP, and there are indications that some TPP:s potentially deviate in other ways from the regulatory framework with regard to common and secure communication standards.
For ASPSP:s, there are indications that interfaces potentially do not meet the requirements on availability and performance.
FI is currently contacting the banks directly and emphasizing the importance of compliance with the obligation to provide interfaces that meets the requirements on standards for common and secure communication between ASPSP:s and TPP:s as described in the delegated regulation. This means, inter alias, providing interfaces that fulfil the regulatory requirement on availability and performance and that ASPSP:s that have not been granted an exemption must provide the fallback mechanisms prescribed in the regulation.