AISP (Account Information Service Provider)
AISPs offer customers an aggregate overview via an online platform of one or more payment accounts, even if they held by them with potentially multiple payment institutions and within different countries. They are commonly known as account aggregators.
The Commission has made it clear that these services are intended to provide customers consolidated information of their financial situation and to analyse intuitively their spending habits, costs and financial needs.
Thanks to the services offered by AISPs, the client, if its payment account is accessible via online, has the opportunity to use securely its bank details to obtain personalized financial advice and diversified offers on financial products. It can also enjoy, on a single platform, an overall view of all the information regarding its bank accounts: interest rates, applied fees and charges, transaction history, balance of accounts. Finally, it has the possibility of constantly comparing different banking products.
In Italy account information service providers must face an authorization procedure (and not a mere registration procedure). This procedure ends with the registration in a special section of the Register of Payment Service Providers, when the following requirements are met (Article 114-septies, par. 2-bis TUB): form of limited liability company; registered office in Italy; presentation of the business plan; suitability of people performing administrative, management and control functions; failure to obstruct the supervisory functions; a suitable guarantee for potential damages to account service providers or payment service users. Unlike PISPs, AISPs do not need a minimum initial capital.
ASPSP (Account Servicing Payment Service Provider)
ASPSP is a payment service provider that offers and manages a payment account for a payer: that is mainly, but not limited to, banks.
PSD2 Directive charges ASPSPs with numerous obligations, above all the duty of securely providing data to AISPs and PISPs.
The account servicing payment service provider must also ensure an equal treatment of requests for data transmitted by TTPs vis-à-vis those transmitted directly by the user, without any discrimination other than for objective reasons, in terms of timing, priority or fees.
The account servicing payment service provider may refuse access to the data to an AISP or a PISP for objectively justified reasons relating to the unauthorised or fraudulent use of the payment account. In these cases, the ASPSP, according to the methods agreed with the user, shall notify the TTP of the refusal and the reasons for it, before that the access is refused or, at the latest, immediately afterwards, unless prohibited by objectively justified reasons or by other relevant justified impediments. Once the reasons that led to the refusal cease to exist, the ASPSP shall allow access to the payment account again. The ASPSP must always refuse access to the payment account to an AISP or a PISP immediately after having received the withdrawal of consent from the user.
The Directive also provides for a precise liability regime for unauthorized and/or incorrectly executed transactions. The ASPSP carries the first line risk for unauthorised transactions and must immediately refund the amount to the payer. In the case of an unauthorized payment transaction arranged through a PISP, the latter must immediately compensate the ASPSP for sums paid as a result of having refunded its client or, in any case, by the end of the next business day, without the need for a formal notice. In any case, recourse may be available to ASPSPs via a claim for compensation from the PISP if the PISP cannot prove the transaction was authenticated, accurately recorded or not affected by a technical breakdown or other deficiency linked to the payment service which it is in charge of.
Under the new regulatory framework, the ASPSPs have seen a considerable increase in their fraud risk and, consequently, have had to reconsider some internal processes, as well as review their terms and conditions with their clients.
PISP (Payment Initiation Service Provider)
One of the services introduced by the PSD2 Directive is the Payment Initiation Service (PIS). The PSD2 Directive enables certain operators, i.e. Payment Initiation Service Providers (PISPs), to initiate a payment order to Payment Service Providers at the request of their clients, by directly logging into their payment account without any intermediation. Thus, the payer will be able to initiate a transaction on its online account without the credit card intermediation. This innovative service will cause many intermediaries to disappear, leading to potential cost savings for online transactions and to a radical change of the competitive context. Access to the payer’s account will be provided through an API (Application Programming Interface), a set of defined methods of communication between programmes and access protocols which is directly monitored and regulated by EBA (European Banking Authority).
The payment service provider maintaining the payer’s account – usually a bank – shall allow access to the payer’s account even without a contractual relationship with the PISP for that purpose (Article 66, par. 5 PSD2). The PISP shall comply with the conditions established by the Italian Law that implements the PSD2 Directive. The PISP shall not hold at any time the funds of the payer, so that it cannot perform the typical banking function by offering account services. With reference to data, the PISP is not allowed to store sensitive data or request from the payer any data other than those necessary to provide the service. The PISP, without the duly authorization, shall not use or store any user’s data for purposes other than for the provision of the service. The Account Servicing Payment Service Provider (ASPSP) maintaining the payment account shall not deny access to the PISPs; the ASPSP maintaining the payment account shall treat all the parties allowed by the PSD2 Directive to access the account, including the PISPs, without any discrimination. A denial or a discrimination in the access to the accounts can be relevant for breach of antitrust law and sanctioned by national and EU authorities. In this perspective, the payment account will be more and more similar to an infrastructure, that several operators will be able to access without any discrimination, in order to offer payment services.
TPP (Third-Party Provider)
External operators authorized by clients to access their online data on payment transactions. This access occurs with a software API (application programming interface) that connects the provider to the client’s bank.
PSD2 Directive regulates two TPPs: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
The PSD2 Directive (Articles 66 and 67) has been drafted to open up access to clients’ payment account, provided that their payment account is accessible online, by defining the standards of communication with the Account Servicing Payment Service Providers (ASPSPs).
These new operators have one very important feature which guarantees free access to new entrants, in that the ASPSPs cannot require TPPs to enter into a contractual relationship to obtain access to the payment accounts in order to provide for the payment initiation and account information services.