Open banking is a relatively new term, but every person in the banking sector knows it by heart. It is the equivalent of the expression meaning a bright future ahead, full of adventures and innovation. It represents these changes because due to The Revised Payment Services Directive (PSD2) Third Party Providers (TPPs) were finally allowed to access legacy banks data via Application Programming Interfaces (APIs). PSD2 introduced two main types of TPPs – Account Information Service Providers (AISP) and Payment Initiation Service Providers (PISP). PSD2 AISP is the main focus of this article.
PSD2 AISP is a company that holds a valid Account Information Service Providers license. Its sole purpose is to gather financial information from all the banking institutions that a user owns and portray it in one interface. It is an intermediary between the financial institutions and is only authorised to a read-only type of access. Read-only refers to the possibility to view the information, but the funds are not available to AISP.
AISPs function relies on Account Service Payment Service Providers (ASPSPs) operation. ASPSPs are highly regulated financial institutions that offer banking accounts to corporate clients and individuals. The term includes legacy banks, payment institutions, credit card providers, building societies and e-money issuers.
Since the appearance of PSD2, the amount of AISPs grew explicitly. As stated by the European Banking Authority (EBA) at the end of 2020 the European Union (EU) together with the United Kingdom (UK) had 358 Payment Service Providers (PSPs). In this instance, PSPs include AISPs, payment and e-money institutions that can have the authorization to provide payment services similar to AISP. 153 providers supplied strictly Account Information Service (AIS).
Each company, depending on its type, can have individual reasons for obtaining an AISP license. For instance, Electronic Money Institution (EMI) would choose to showcase to its users their accounts in one interface which in turn should expand the time duration that a consumer spends using the app or a website. Other types of companies could provide Artificial Intelligence (AI) services aimed at bookkeepers and business finances. Some could develop applications that allow users to follow their spending and adjust finances easier.
Even more, there could be a company that chose to obtain an AISP license to enhance their service offerings and give better advice to financial customers – an auditing company. They could analyse the financial information of their clients and provide better advice on how to save money or develop financial management. Overall, there are plenty of opportunities with the AISP license to enhance existing services or develop innovative solutions to serve consumer needs.
In general, there are two main types of AISP use – tools for money management and loan applications. As mentioned above, tools for money management gather user’s financial information from various banking institutions, analyse it and showcase it in one interface in a way that is easy to understand. Therefore, consumers can follow their budget more efficiently, plan ahead and monitor the overall financial state.
Loan application tools are used to share information with a lender. These tools work both ways, they can help a consumer to accumulate data faster and a lender to enhance lending offers. Therefore, the application process becomes faster and more accurate with reduced risk for everyone.
As aforementioned in the introduction, AISP and PISP are two main types of a TPP. The main difference between these two types is that AISP can only view, but not touch the funds revealed to them. Whereas PISP can access those funds and initiate transactions on consumers behalf. The primary purpose of AISP is to aggregate and supply consolidated information to the user that requested it. Their services include but are not limited to financial forecasting, price comparison and money management.
PSD2 AISP license authorises a TPP to connect to several ASPSPs and provide a centralised overview of a consumer’s financial condition. This improves customer experience and eliminates enormous amounts of manual labour while saving time. According to PSD2 regulation, the information accessed by the AISP should be identical to the one that a user can access themselves when utilising online banking services. However, the data that is classified as sensitive transactional information should remain unknown to the AISP.
Most importantly, an AISP does not obtain any login information to consumer accounts and can only access it for information gathering with a user’s consent.
To become an AISP a company must decide whether it is going to be the sole business or a part of a broader service spectrum. In the case where a company wishes to operate on a larger scope, it can include the AISP authorisation within the broader type of registration – when becoming a Payment Institution (PI) or EMI. If a company already has the required authorisation for the PI or EMI and just desires to expand its services, it can contact the regulator to include this permission.
In cases where a company only wants to be an AISP with no additional regulatory services, then it should register with the accountable authority such as The Financial Conduct Authority (FCA) if it’s in the UK. It means that the registration process is less complicated than the full authorisation of PI or EMI and, therefore, has fewer requirements. Nevertheless, the supervisory authority will require detailed specifications of a business and risk supervision methods together with the appropriate insurance.
PSD2 AISP companies are mainly regulated by the PSD2 directive. It provides the key requirements and guidelines to follow for successful service implementation and development. However, an AISP should also follow data protection regulations and laws. Depending on the country of origin it may have different legislation together with the ones applied within the EU – General Data Protection Regulation (GDPR).
The GDPR is the most intricate privacy and data security legislation in the world. Although it has been passed in the EU its obligations can be felt all over the world if a business deals with European customers. This regulation was passed in 2018 and changed the data security approach. Therefore, it is fundamental to follow this legislation for AISPs to avoid violation fines and penalties that could go up to millions.