“Third parties” are non-banks that provide payment initiation and account information services. For this purpose, they require your consent to access your bank account. They act as an intermediary – a third party – between you and your bank. A third-party payment service provider could be a fintech company, a telecommunications business or a wholesaler. The provider first has to set itself up as a payment initiation service provider or an account information service provider and then register with or obtain a licence from the relevant supervisory authorities. Banks and savings banks may also offer payment initiation and account information services under their banking licence.

If a customer makes a purchase online, they can use a payment initiation service provider specified on the seller’s website to settle the payment. Provided that the customer uses their bank’s online banking services and has already given their consent, this provider submits a credit transfer order to the bank on the customer’s behalf.

Account information service providers call up account information, such as transactions, balances and items scheduled for debiting, from the bank or savings bank managing the customer’s account and structure the information in a clear manner. A prerequisite is that the customer uses their bank’s online banking services and has already given their consent. This is of particular interest to customers who have accounts at several banks and want to have a better overview of their accounts.

Third-party payment service providers are subject to supervision. Payment initiation service providers require a licence from the national supervisory authorities before they can render their services. In Germany, this is the Federal Financial Supervisory Authority (BaFin). Account information service providers have to register with the supervisory authorities. Both account information service providers and payment initiation service providers require professional indemnity insurance or an equivalent guarantee before registering or applying for a licence.

In online banking, customers can appoint third-party payment service providers to initiate payments or to call up account information (for instance, to plan their finances). As these providers are then legally recognised and subject to supervision, customers can also use their PIN and TANs in their dealings with them.

No, you do not have to grant third-party payment service providers access to your account – the PSD2 merely entitles you to do so should you so wish. This means, more precisely, that the PSD2 gives you the right to use the services offered by a new provider who, in turn, requires access to your online account in order to be able to provide these services.

If you give your consent, this means that you are granting a third party access to your bank account.

If you do not give your consent, nothing will change. The third party will not be able to access your bank account.

If you appoint a payment initiation service provider they can request that your bank makes a payment or credit transfer from your account on your behalf. You should note that your consent to a payment initiation service is generally valid for a single payment only.

An account information service provider can call up the balance and account transactions from your payment accounts at one or more banks and prepare the data for you in a clear and concise manner. You can commission an account information service provider to prepare your account data over a longer period of time, potentially until revocation. During this period, the account information service provider can access your bank account or your bank accounts to update the overview of payments and account balances.

You can grant a payment initiation service provider or an account information service provider access to your bank account. The PSD2 specifies that these providers may use your bank’s verification procedure. Furthermore, the PSD2 stipulates that this procedure must always comprise two factors (strong customer authentication (SCA), see also the link below); however, the bank/savings bank or payment institution in question is free to specify the exact details.

Usually a combination of at least two of the following elements is requested:

• something you have (e.g. a debit card, mobile phone or TAN generator),
• something only you know (access code, PIN or passwort),
• biometric identification (e.g. fingerprint, iris scan).

First your bank/savings bank or payment institution checks whether you are the account holder.

To trigger a payment, an element (TAN) must be linked to the proposed transaction (amount and beneficiary). This TAN can only be used for this particular payment: If the amount or beneficiary changes, the TAN also changes. By entering the TAN, you agree to make the payment.

In combination with other security measures, this ensures that the payment service provider can only carry out transactions with your consent.

If you give a payment initiation service provider your consent to execute a payment, this is similar to asking your bank/savings bank to carry out a payment order.

The procedure for providers of account information services differs slightly. You must authorise access to your bank account using strong customer authentication the first time you order the account information service and then at least every 90 days thereafter.

You are under no obligation to use the new payment methods. Without your consent, third-party payment service providers cannot access your account.