In its supervisory notice dated October 9, 2024 (available here), the German Federal Financial Supervisory Authority (BaFin) has specified its expectations regarding account access interfaces under the Second Payment Services Directive (PSD2). These clarifications address current issues in the provision of dedicated account access interfaces. In doing so, BaFin has, among other things, taken into account the relevant Q&As of the European Banking Authority (EBA).
Table of Contents
1. Publication of statistics on interface availability
Account-holding payment service providers are required to publish quarterly statistics on the availability and performance of the dedicated interface and the interface used by their payment service users on their website (see Article 32 (4) second sentence of Delegated Regulation (EU) 2018/389).
BaFin may define an appropriate time period to be covered by the statistics (see EBA Q&A 2023 6687).
BaFin’s expectations
BaFin states that the published statistics of the account-holding payment service providers should cover at least the period of the last four quarters.
2. Screen scraping of redirection pages
Account servicing payment service providers must ensure that the technical specification of each interface is documented and describes the routines, protocols and tools required by third-party providers such as payment initiation service providers (PISPs) / account information service providers (AISPs) to ensure that their software and applications can interoperate with the systems of the account servicing payment service providers (see Article 30 (3) (2) of Delegated Regulation (EU) 2018/389)
This is important because when accessing the dedicated interface of the account servicing payment service provider, the PISP/AISP must follow the technical specifications defined by the account servicing payment service provider (see EBA Q&A 2021 6044).
The account servicing payment service provider is free to decide on the methods for carrying out the authentication procedure for the payment service users; for example, it can opt for the redirection, embedded or decoupled approach (or a combination thereof).
If PISPs or AISPs use alternative approaches for authentication (such as screen scraping), which technically deviate from the specifications of the account servicing payment service provider, these approaches are classified as “non-compliant”.
Example:
“If the account servicing payment service provider has opted for a redirection or decoupled approach and this is designed to be obstacle-free, the PISP/AISP must – in accordance with the specification – redirect the payment service user to the account servicing payment service provider’s domain for authentication. The introduction of a separate technical approach for the query and subsequent transmission of the payment service user’s access data to the account-holding payment service provider, which differs from the approach provided by the account-holding payment service provider in the technical specifications of the dedicated interface, is therefore not permitted.” (see BaFin Guidance dated October 9, 2024, under 2) “Screen Scraping” of redirection pages).
Expectations of the BaFin
- If the account servicing payment service provider uses other types of access to the dedicated interface (e.g. screen scraping) that are not described in the technical specification (documentation) of the account servicing payment service provider, this is done outside of what is permitted by regulation.
- In such cases, the account servicing payment service provider may block the access. In this case, the blocking of access is not to be objected to by the supervisory authority.
BaFin will investigate any information about regulatory breaches.
3. Reporting requirement for dedicated interface failures
If a dedicated account access interface fails, both the account servicing payment service provider and the PISP/AISP must report the failure to BaFin without undue delay (see Article 33(3) of Delegated Regulation (EU) 2018/389).
A failure is assumed if five consecutive access requests from the PISP/AISP are not answered within 30 seconds (see Article 33 (1) sentence 2 of the Delegated Regulation (EU) 2018/389).
Expectations of the BaFin
The report is to be made immediately, informally and exclusively to the BaFin (via email to git1@bafin.de).
The report must state the date and duration of the disruption. It must also be stated whether only certain services (payment initiation services, account information services) were affected by the disruption.
In addition, account servicing payment service providers should state the reason for the disruption of the dedicated interface, whether any appropriate measures have been taken and whether the payment initiation service provider and the account information service provider have been informed of the disruption of the dedicated interface.
Conclusion
The BaFin’s supervisory statement on dedicated account access interfaces is to be welcomed. By formulating its expectations, the BaFin ensures, among other things, transparency regarding the stability and performance of the interfaces (see the reasonable period of time allowed for publishing statistics on interface availability). At the same time, the published expectations of the BaFin also promote legal certainty when account servicing payment service providers block access by PISP/AISP in certain cases, which is then not subject to supervisory objection. With these clarifications, the affected market participants in payment transactions – from banks as account-holding payment service providers, to central access points for direct debits and credit transfers, to IT service providers – can reflect the expectations of BaFin in their processes accordingly, in order to ensure smooth cooperation in the financial sector.
