In the brave new world in European Union, third-party providers will have the chance to get access to data on bank accounts and initiate transactions on those accounts if the account holder gives them consent to do so. The directive which specifies the rules of this brave new world is called PSD2, or less friendly name is EU directive 2015/2366.
There are tons of articles and presentations referring to the players of PSD2 as 3-5 letter acronyms, as can be seen in the picture above. In this article, I explain the roles of those players for all who do not actively work in the PSD2 domain.
TPP, Third Party Providers, may have three kinds of roles.
PISP, Payment Service Provider, is a party that has the right to initiate a transaction on behalf of you. You can imagine this kind of company as if you wrote a paper instruction to transfer some money from your account to someone else and asked your mom to hand in this paper to your bank. PISP will be much faster, but it won’t cook you cake after this action.
AISP, Account Information Service Provider, is a party, which has the right to collect data from your bank accounts and display aggregated information to you. The same as if you asked your dad to read through your bank statements and verify if all your dues have been paid right in time. Although the AISP won’t play with your children, it will collect your data faster and more efficiently than your dad did.
PIISP, the Payment Instrument Issuing Service Provider, is a party that issues something you can pay with. This something is a credit card, a mobile application, a payment watch, a payment googles, a payment chip under your skin or anything in your wildest dreams.
API, Application Programming Interface, will be the gateway, where providers will securely communicate with your bank. Think of it as a real gate where your mom and dad had to knock and where she and he entered after they have presented your consent. It’s the bank (ASPSP, see later) who operates this gate. The bank opens this gate as soon as it has verified the one who knocked on the door and after it checked the validity of your consent.
NPR, National Public Register, is the local central database in every single country in the EU. In your mind, this database may appear as a list of TPPs together with their ID and their roles. When a TPP wants to get the license to work as a TPP, it must go to NPR and ask for this license. Obviously, the NPR has the right to withdraw that license at any time.
EBA, European Banking Authority, is the central database that collects the information from all NPR, aggregates them and makes this aggregate information available back to NPR of all member countries. If an NPR gives a license to a TPP, the NPR will inform EBA about this fact. Next time any other NPR wants to know if that certain TPP has a license, the other NPR will ask EBA, and EBA replies accordingly. Like a gossip central. An NPR tells something about a TPP to EBA (“Have you heard that this TPP has a new licence?”; “It’s a shame, the licence of this TPP is revoked”). EBA stores this information and distributes it to any other NPR when the other NPR asks EBA about the news of TPPs.
Payment Service Provider
ASPSP, Account Servicing Payment Service Provider, is in the middle in the picture above. It seems to be the central player in this game but it’s only a slave. ASPSP is practically the bank. The party that maintains accounts, that handles the money.
PSU, the Payment Service User, is in the origo. It is practically You. The customer, who has an account at the ASPSP and wants better service they have had till now.
I’m looking forward to seeing how fast this brave new world will evolve and how fast the players of this article will adapt themselves to the challenges.