Customers and the data chain: Agents and others
Looking beyond data retrieval, what are the protections for onward sharing of transaction data?
In , we took a close look at how the different actors in the ‘data chain’. The data chain begins when data is retrieved from a customer’s account either by an account information service provider (AISP), or a technical service provider (TSP), on behalf of the AISP. This week, we discuss the next links in the data chain: Agents — who provide account information services on behalf of AISPs; and then we examine so-called ‘Third Parties not providing AIS’.
Note: In this blog ‘customers’ is used to refer to the ‘end-users’ of open banking services.
What are Agents? 🤔
Under PSD2, AISPs may provide their services through agents. Agents are not regulated in their own right, but provide the AISP’s services to end-customers on behalf of the AISP. In the same way that an AISP is responsible for everything done by its TSP, the AISP is also responsible for everything done by its agents and must have systems and controls in place to monitor its agents’ activities. This is reflected in the PSD2 requirement for the AISP to increase the amount of professional indemnity insurance it holds in proportion to the number of agents it has. AISPs must also register their agents with the FCA. TrueLayer’s agents are displayed on the .
Because an agent is not providing account information services in its own right, it is not the agent who should obtain explicit consent to access account data, but the AISP, also known as the ‘Principal’. It is also the AISP (not the agent) that retrieves the data from the customer’s bank, identifying itself with its own eIDAS certificate. All of this needs to happen before the AISP’s account information service is provided to the customer through the agent:
TrueLayer provides a consent screen for its agents to use so that we can collect the end-customers’ consent when we provide AIS through our agents:
A further safeguard for the customer is that under PSD2 rules, an agent of an AISP “cannot provide or purport to provide account information services in its own right.” According to FCA , an AIS agent must be clear to its customers that it is providing the services of an AISP, even where it is doing so through its own platform. TrueLayer works with its agents to ensure this is made clear to customers where account information is being displayed:
The third party not providing AIS
The final ‘PSD2 role’ illustrated on the FCA’s new page is that of a third party not providing AIS, also known in law as “another person.” The legal framework for an AISP to share data with businesses who are not themselves regulated under PSD2 comes from the UK Treasury regulations, which implement PSD2, specifically the definition of ‘account information services’. Under the definition, an AIS can provide services:
An example of this role in action would be a bank partnering with an AISP to use the account data to power a lending decision, or a credit reference agency using the data to help calculate a credit score. The critical thing is that the companies partnering with the AISP are not themselves providing consolidated account information back to the customer, so do not need to be regulated as AISPs under PSD2. They are benefiting from being able to access and use PSD2 open banking data via AISPs.
In this model, it is the AISP’s responsibility to obtain consent for two things. First, to access the data under PSD2, and second, to share the data with ‘another person’ who is not doing AIS (i.e. ‘in accordance with the payment service user’s instructions).
Once the data has passed to “another person,” it is no longer the responsibility of the AISP under PSD2. To better understand the protections that continue to follow the customer in this data chain, it is time to introduce GDPR.
GDPR and the data chain
Like any business that handles personal data (transaction data being a good example of this), AISPs must also comply with GDPR and other data protection laws. That means data protection requirements on processing and/or controlling data apply. Whether an actor in the data chain is a processor and/or a controller will depend on exactly what they are doing with the data. This is one example of how legal responsibilities may be assigned in a particular open banking data chain:
Ultimately, under both PSD2 and the GDPR, each actor in the data chain is responsible for keeping the customer data it holds safe and secure. That means that protections continue after data is passed to a business that is not PSD2 regulated.
While PSD2 gives customers the right to complain to a regulated AISP, and to escalate that complaint to the Financial Ombudsman, GDPR gives individuals the right to claim compensation from an organisation if they have suffered damage as a result of it breaking data protection obligations. While there is no compensation awarding body for GDPR breaches (unlike the Financial Ombudsman), in the UK, consumers can complain to the Information Commissioner’s Office (ICO), and the ICO can take action against the organisation. Individuals can also make a claim in court, which can decide whether or not the organisation would have to pay compensation, assuming the individual has suffered loss as a result of the breach.
Ongoing chains ⛓
The reality and opportunity of open banking is that customers become empowered to extract their own data from banks and do with that data what they wish.
PSD2 businesses have a responsibility to enable this while keeping customers safe. That means:
Acting as responsible, secure data retrievers
Ensuring the data hand-off to businesses inside and outside the PSD2 perimeter is made strictly in accordance with the customer’s wishes and the law
Only trading with reputable businesses who take their responsibilities under the GDPR seriously