An Account Servicing Payment Service Provider (ASPSP) is a regulated entity that holds and manages payment accounts on behalf of individuals, businesses, or other organisations. Under the Payment Services Directive 2 (PSD2), ASPSPs are required to open their account infrastructure to authorised Third-Party Providers (TPPs) through secure, standardised open banking APIs, enabling both account information access and payment initiation by licensed AISPs and PISPs respectively. ASPSPs include conventional credit institutions (banks), e-money institutions, and payment institutions, being any regulated entity that provides and maintains payment accounts for its customers.
As illustrated in a typical ASPSP interaction flow, a customer grants consent to a TPP – such as a budgeting app (AISP) or a checkout payment service (PISP) – through the ASPSP’s own authentication interface. The ASPSP verifies the customer’s identity using Strong Customer Authentication (SCA), confirms the scope of consent, and then either shares the requested account data or executes the payment initiation instruction via its open banking API. The ASPSP remains the custodian of the account and the funds throughout, while the TPP interacts with the account only within the boundaries of the granted consent.
Key Takeaways: #
- An Account Servicing Payment Service Provider (ASPSP) is a regulated financial institution that holds and manages payment accounts and is required under PSD2 to provide authorised Third-Party Providers (TPPs) with access to those accounts via open banking APIs;
- ASPSPs include traditional banks, e-money institutions, and payment institutions, or any entity that holds payment accounts on behalf of customers;
- Under PSD2, ASPSPs are obligated to provide two types of API access to authorised TPPs: account information access (for AISPs) and payment initiation access (for PISPs).
Core Functions of an Account Servicing Payment Service Provider (ASPSP) #
Payment Account Management: ASPSPs are responsible for the full lifecycle of a payment account – from opening and onboarding through ongoing maintenance to closure. This includes processing incoming and outgoing transactions, maintaining accurate account records, managing account balances, and ensuring the operational continuity of the account on behalf of the customer.
Enabling Payment Initiation Services: Under PSD2, ASPSPs must provide authorised PISPs with access to their payment infrastructure, allowing PISPs to initiate transactions directly from a customer’s account, with the customer’s explicit consent. The ASPSP processes and settles the payment instruction while the PISP acts solely as the initiating party. This enables account-to-account payment flows that bypass traditional card networks.
Enabling Account Information Services: ASPSPs are also required to grant authorised AISPs read-only access to customer account data, such as including balances, transaction history, and account details, through their open banking API. This access underpins account aggregation services, personal finance management tools, and lender affordability assessments. The ASPSP shares this data only within the scope of the customer’s explicit consent.
Security, Authentication, and Data Protection: ASPSPs are required by PSD2 to implement Strong Customer Authentication (SCA) for account access and payment initiation, and to comply with GDPR data protection obligations. This includes robust encryption, secure API infrastructure, and ongoing monitoring for unauthorised access attempts. Security and data protection are regulatory requirements – not optional features – and form a core part of ASPSP compliance obligations.
Regulatory Compliance: ASPSPs operate under PSD2 and must be authorised by a national competent authority. Their obligations include maintaining compliant open banking API infrastructure, responding to TPP access requests within defined parameters, and adhering to EBA regulatory technical standards (RTS) on strong customer authentication and secure communication.
FAQ: #
- What is the difference between an ASPSP and a TPP?
An ASPSP holds and manages the payment account – it is the bank or payment institution where the customer’s funds are kept. A TPP is a third-party service provider that accesses the account – either to read data (AISP) or initiate payments (PISP) – through the ASPSP’s open banking API, always with the customer’s consent. ASPSPs provide the account infrastructure; TPPs build services on top of it.
Are all banks ASPSPs?
- Any regulated entity that holds payment accounts on behalf of customers is classified as an ASPSP under PSD2. This includes traditional retail and commercial banks, e-money institutions, and payment institutions that offer payment accounts. Non-account-holding entities – such as pure payment processors or card networks – are not classified as ASPSPs.
Open banking, an idea that’s changing the financial landscape, wouldn’t be possible without ASPSPs. They are the binding force that enables secure access to payment accounts, fostering competition and facilitating collaboration between traditional banks and emerging fintech players. The result? A slew of innovative, customer-oriented financial services that bring convenience, choice, and control to the end-users.
In the fintech lexicon, ASPSPs are more than an acronym. They play a pivotal role in shaping the financial ecosystem, enabling collaboration, ensuring transparency, and above all, fostering customer trust. Understanding the role of an ‘account servicing payment service provider’ goes beyond learning another industry term – it’s about understanding the pulse of the future of finance. With Baseella you may become one, while accounting for the regulatory requirements and aspects that are essential for a thriwing payments business as an ASPSP.
