Account information services will be defined in future as an “online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider”. This rather unhandy definition – sadly now a common feature of European regulatory law – covers services that access accounts purely for informational purposes. Examples include the conduct of a credit check with the customer’s consent. This article aims to provide a brief overview of various aspects of this new area of regulation related to the law on banking regulation and data protection.
Firstly, it should be noted that no license is required for account information services, even though they are considered payment services. The only requirement is for the relevant party to be registered (section 34, ZAG, new version). Significant amounts of information and documentation must be submitted, however, as part of the registration application. In addition to the documents that are usually required for registration under banking regulation law, such as a description of the business model, a business plan and a budget plan for the first three financial years and details of the applicant’s legal form and articles of association, the requirements set out in section 34(1) of the new version of the ZAG in conjunction with the grounds for rejection listed in section 35 of the amended ZAG also include numerous (indirect) compliance obligations. For instance, section 34(1), sentence 2, no. 4 requires submission of a “description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints”, while no. 6 requires submission of a “description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans”. The new regulations contained in the ZAG also provide for mandatory insurance for account information services: under section 34(1), sentence 2, no. 12 in conjunction with section 36 of the new version of the ZAG, professional indemnity insurance is required which in particular also covers the liability risk vis-à-vis the bank and the payment service user resulting from non-authorised or fraudulent access. It remains to be seen whether the insurance industry will offer appropriate products here and if so, on what terms.
The reasons for refusing registration set out in section 35 of the amended ZAG also show that European legislators attach great importance to the reliability of account information service providers – particularly in relation to security-related issues. Registration is therefore not a mere formality. In addition to the information required for registration, the provider also has an obligation under section 34(6) of the new version of the ZAG to notify the German Federal Financial Supervisory Authority without delay of any change in the related circumstances.
Alongside the registration and compliance obligations arising from first-time regulation of this type of business model, the position of account information service providers is explicitly strengthened in the new version of the ZAG. Specifically, the new sections 50 to 52 deal with the reciprocal rights and obligations of the account information service provider on the one hand and the account servicing payment service provider on the other. The account servicing payment service provider – i.e. typically the bank operating the payment account that the account information service wishes to access – is under an obligation to cooperate with the account information service and to treat requests from an account information service provider “without any discrimination” (section 50(1), no. 2, ZAG, new version).
Unsurprisingly, account information services may only be provided with the express consent of the payment service user, i.e. the customer (section 51(1), sentence 1, ZAG, new version). The account servicing payment service provider (the bank) may only deny an account information service provider access to payment accounts in the circumstances set out in section 52 of the new version of the ZAG. This statutory recognition of the fact that account information services form part of the account servicing payment service provider’s infrastructure shows that the sharing of access details by the payment service user with registered payment service providers no longer represents a breach of the payment service user’s obligation under civil law not to disclose their access details to third parties.
The new regulations regarding account information services in the new version of the ZAG do, however, raise issues with regard to data protection law. Protection of personal data plays a significant role here since processing of the relevant account holder’s data is fundamental to the business model of account information service providers. Obviously, an account holder’s account data is personal in nature. The fact that the name of the account holder is stored together with the account and the associated digital data allows their identity to be established. But it is not only the account holder/user of the account information service whose right to protection of their personal data under Article 8 of the EU Charter of Fundamental Rights is affected as a result of data being processed to provide the service – the impact extends to third parties to whom transfers money. The transaction data, which is potentially also visible, makes it likewise possible to identify recipients of payments. There is a common misconception with regard to the processing of account and transaction data that such data counts as special personal data under the German Data Protection Act. The Federal German Data Protection Act that is currently still in force (BDSG), and the General Data Protection Regulation (GDPR), which will apply as of 25 May 2018, distinguish only two categories of personal data: “special categories of personal data” and “ordinary” personal data. Data protection legislation imposes stricter rules on processing special categories of personal data than on “ordinary” personal data, particularly with respect to authorisation. For example, the processing of special categories of personal data cannot be legitimized by Art. 6 (1) f. GDPR – balancing of interests. Pursuant to Article 9, paragraph 1 of the GDPR, special categories of personal data include all data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health and data concerning a natural person’s sex life or sexual orientation. Since this list does not include account data, such data is not treated as special data under the BDSG or the GDPR.
However, there are also special provisions on data protection to be found in the new version of the ZAG itself: division 11 of the amended ZAG includes section 59(1), entitled Data Protection, which stipulates expressly that payment service providers and thus also account information service providers may process personal data for the purposes of “prevention, investigation and detection of payment fraud”. At the same time, section 59(2), ZAG new version, also makes the processing of personal data in order to provide account information services conditional on the explicit consent of the user. By only providing for authorisation based on the consent of the relevant account holder, the new version of the ZAG is more restrictive than either the BDSG or GDPR. This reduction in options is further reinforced by section 51(1), sentence 3 of the amended ZAG, in that the account information service provider may only use data for the purposes of the account information service. The legislators’ intention in imposing this restriction is to exclude any use of data that goes beyond that specifically required to provide account information services. The aim is to prevent any utilisation of the transaction data by the account information service for promotional purposes or in order to establish a scoring database. However, it is doubtful whether this intended purpose limitation and the narrowing of the legal bases for the processing of personal data are consistent with the GDPR. The GDPR does not provide for any such restriction. The somewhat academic debate conducted so far as to whether the ZAG or PSD II can be regarded as a lex specialis with respect to the GDPR will thus become increasingly relevant. Furthermore, neither the ZAG nor PSD II contain any data protection provisions related to handling the personal data of payment recipients that is collected and processed as part of an account query initiated by the user in connection with the provision of account information services. The consent of the user, i.e. the account holder, is not sufficient in this case. Such consent only establishes a legal basis for processing personal data related to the user. Consent does not affect the rights or data of third parties, such as the data of payment recipients which is visible when transaction data is collected by the account information service. It is necessary here to fall back on the BDSG or GDPR, since section 59(2) of the new version of the ZAG merely governs the consent of the relevant user of the account information service. The legal basis for processing data that also relates to third parties and not exclusively to the user of the service remains unregulated by the ZAG and must therefore be determined in accordance with the existing law on data protection.
Many account information services are, however, not immediately affected by the new regulations in the amended ZAG. Under Article 15 of the Second Payment Services Directive Implementation Act the provisions in sections 45 to 52 of the new version of the ZAG only come into force 18 months after the European regulatory technical standards on PSD II take effect. Accordingly, many providers still have time to act. In addition, companies that provided account information services as defined in the new version of the ZAG prior to 17 January 2016 may disregard all the provisions in the new version of the ZAG relating to account information services until sections 45 to 52 of the amended ZAG come into force (i.e. 18 months after the regulatory technical standards come into force). Until then, they can continue to operate in line with the existing legislation (section 68(2), ZAG, new version).
This first-time creation of a regulatory framework for account information services by the new version of the Payment Services Supervision Act (ZAG) is a welcome development that will reduce the legal uncertainty currently surrounding this business model. Nonetheless, some of the new rules are ambiguous and raise a number of issues. These can, however, be overcome with the aid of expert legal advice.