- Part I — AISPs and TSPs
- Part II — Agents and other third parties
In Part I, we took a close look at how the FCA views different actors in the ‘data chain’. The data chain begins when data is retrieved from a customer’s account either by an account information service provider (AISP), or a technical service provider (TSP), on behalf of the AISP. This week, we discuss the next links in the data chain: Agents — who provide account information services on behalf of AISPs; and then we examine so-called ‘Third Parties not providing AIS’.Note: In this blog ‘customers’ is used to refer to the ‘end-users’ of open banking services.
What are Agents? 🤔
Under PSD2, AISPs may provide their services through agents. Agents are not regulated in their own right, but provide the AISP’s services to end-customers on behalf of the AISP. In the same way that an AISP is responsible for everything done by its TSP, the AISP is also responsible for everything done by its agents and must have systems and controls in place to monitor its agents’ activities. This is reflected in the PSD2 requirement for the AISP to increase the amount of professional indemnity insurance it holds in proportion to the number of agents it has. AISPs must also register their agents with the FCA. TrueLayer’s agents are displayed on the FCA’s register.
The data chain describes the flow of customer data once it is retrieved from the bank

Agent consent chain

TrueLayer Agent consent screen

AIS provided on behalf of TrueLayer
The third party not providing AIS
The final ‘PSD2 role’ illustrated on the FCA’s new page is that of a third party not providing AIS, also known in law as “another person.” The legal framework for an AISP to share data with businesses who are not themselves regulated under PSD2 comes from the UK Treasury regulations, which implement PSD2, specifically the definition of ‘account information services’. Under the definition, an AIS can provide services:“Only to the payment service user or the payment service user and another person in accordance with the payment service user’s instructions.”

The customer can instruct an AISP to share their transaction data with a business that isn’t doing AIS — ‘Another Person’

Consent to provide data to “another person”

Example GDPR responsibilities in a data chain
Ongoing chains ⛓

- Acting as responsible, secure data retrievers
- Ensuring the data hand-off to businesses inside and outside the PSD2 perimeter is made strictly in accordance with the customer’s wishes and the law
- Only trading with reputable businesses who take their responsibilities under the GDPR seriously