The introduction of Account Information Services (AIS) by PSD2 allows account holders to access information on their payment accounts through an Account Information Service Provider (AISP) (article 67(2-a)). But as the information can contain personal data protected by GDPR, GDPR may significantly limit the value potential of Account Information Services.
Article 94(1) of PSD2 stipulates that all processing of personal data must be carried out in accordance with the Data Protection Directive, and as of 25 May 2018, the General Data Protection Regulation (GDPR). The processing of data is, amongst others, defined as 'disclosure by transmission'. The result is that the retrieval of any information on payment accounts and associated transactions by an AISP falls under the scope of GDPR if that information can be used to identify a natural person.
If this information would solely concern the account holder, and the account holder gives his explicit consent to the Account Servicing Payment Service Provider (AS-PSP) to disclose the information to the AISP, there would not be a problem. The AISP may even be sharing it with other third parties with the account holder's explicit consent, for instance with a loan provider who wishes to perform a credit rating before granting a loan to the account holder. However, the transaction information that is retrieved through the AISP can contain personal data of the counterparties of the transactions as well. In case the counterparty of a transaction is a natural person, the transaction information will at least contain the counterparty's name. The account number of the counterparty may also qualify as personal data within the scope of GDPR (depending on whether the party that receives the information can use the account number to identify the counterparty). And even the transaction description that is included may contain names and other personal data, regardless of whether the counterparty is a natural or a legal person.
Now PSD2 defines AIS as 'an online service to provide consolidated information on one or more payment accounts'. If the transaction information were presented in consolidated form, it can be easily arranged that the information will not contain any personal data of others. But providing consolidated information instead of information on individual transactions will diminish the value of the information for the account holder. For instance, if the account holder wishes to use the information for having his spending patterns analysed, individual transaction information will be of more use to him. And AISPs and other third parties would be better able to provide financial advice if they have a more detailed insight, for example by providing the account holder with tailor-made commercial offers based on the retrieved transaction information.
Data flows for a credit transfer from the account holder to a counterparty (red) and vice versa (green)
But when AS-PSPs provide information on a transaction-by-transaction basis, they risk violating GDPR by doing so. Maybe this could be solved by automated removal of any personal data on the counterparty from the transaction information before disclosing it to an AISP, but that would require intelligent software, while it would still not guarantee that no personal data is disclosed.
So just to be sure, AS-PSPs could decide to anonymise all transaction information that may contain personal data. This would at least include the name of the counterparty to the transaction and his account number, and probably also the transaction description. Anonymisation will then make the information a lot less valuable for the account holder and for the service providers he engages for processing the transaction information.
But there is more: what if the account is held by more than one person, as often occurs with people sharing a household? Or if the explicit consent to retrieve account information is done by someone else acting on behalf of the account holder(s), based on a power of attorney? In both cases, the account holders (or one of them) would also need to give their explicit consent to the AS-PSP for disclosing their personal data to the AISP, as required by GDPR. This could be solved by taking into account these situations when opening the account and/or when drafting the power of attorney, but it certainly requires attention to prevent that the AS-PSP is not allowed to provide the AISP with any useful information at all.
In short: we expect that the obligations that GDPR impose on AS-PSPs will significantly limit the possibilities for AISPs and other third parties to use account information in a way that would add real value for their customers. Although this may be a fair price to pay for privacy protection, it is unfortunate that it may hamper the development of innovative solutions for financial and other services.
The European legislator, or else maybe the data protection authorities, could dilute the limitations demonstrated in this blog by giving some guidance on how to interpret the need for explicit consent. But until then, we advise AS-PSPs to:
- remove any personal data on counterparties or other third parties from the transaction information; and
- ensure that all account holders of the designated account(s) have given their explicit consent to disclose their personal data,
prior to disclosing any account information to an AISP.
Of course, the second goes mutatis mutandis for AISPs that disclose account information to other service providers.
 This regards the consent required by article 67(2-a) PSD2