Skip to main content

Article (17): Contractual Arrangements

C 15/2021 Effective from 6/6/2021

Access to Payment Accounts

  1. Payment Service Providers providing Payment Account Issuance Services and/or Banks may agree to contract with Payment Service Providers providing Payment Initiation and Payment Account Information Services for the provision of access, direct or indirect, to the Payment Accounts held with them in order to allow such Payment Service Providers to provide Payment Initiation and Payment Account Information Services in an unhindered and efficient manner.
     
  2. The contractual arrangements under paragraph (1) shall:
     
    1. 2.1. have a sound legal basis and be legally enforceable;
       
    2. 2.2. clearly describe the rights and obligations of the counterparties;
       
    3. 2.3. clearly define the allocation of liability between the counterparties, including in cases of fraud, unauthorized access or Data Breach, in a manner that each counterparty takes responsibility for the respective parts of the Payment Transaction under its control;
       
    4. 2.4. specify the reasons for denying access to Payment Accounts related to unauthorized or fraudulent access by Payment Service Providers providing Payment Initiation and Payment Account Information Services; and
       
    5. 2.5. explicitly oblige the counterparties to comply with Article (13) on Technology Risk and Information Security.
       
  3. The choice of Payment Service Providers providing Payment Initiation and Payment Account Information Services shall be at the sole discretion of the Payment Service Providers providing Payment Account Issuance Services and/or Banks.
     
  4. Payment Service Providers providing Payment Initiation and Payment Account Information Services shall:
     
    1. 4.1. provide services only where based on the Retail Payment Service User’s explicit consent;
       
    2. 4.2. ensure that the personalized security credentials of the Retail Payment Service User are not, with the exception of the Retail Payment Service User and the issuer of the personalized security credentials, accessible to other parties and that they are transmitted through safe and efficient channels;
       
    3. 4.3. not request or store Sensitive Payment Data of the Retail Payment Service User;
       
    4. 4.4. not use, access or store any data for purposes other than for the provision of the Payment Initiation or Payment Account Information Services, as explicitly requested by the Retail Payment Service User; and
       
    5. 4.5. comply with the requirements of Article (13) on Technology Risk and Information Security where the Payer initiates an electronic Payment Transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
       
  5. In addition to the requirements set out in paragraph (4), Payment Service Providers providing Payment Account Information Services shall access only the information from designated Payment Accounts and associated Payment Transactions.
     
  6. In addition to the requirements set out in paragraph (4), Payment Service Providers providing Payment Initiation Services shall not modify the amount, the Payee or any other feature of the Payment Transaction.