Third Party Providers (TPPs) are regulated entities that, under the Payment Services Directive 2 (PSD2) framework, are authorised to access a user’s bank account data or initiate payments on their behalf, always with the user’s explicit consent. TPPs access this data and functionality through standardised open banking APIs provided by banks and payment institutions, which are referred to as Account Servicing Payment Service Providers (ASPSPs) under PSD2. TPPs must hold a valid authorisation or registration from a national competent authority before they can operate and are subject to ongoing regulatory oversight, data protection obligations, and security requirements.
As illustrated in a typical TPP interaction flow, a user selects a TPPs-powered service – such as a budgeting app or a checkout payment option – and is redirected to their bank to authenticate and grant consent. The bank verifies the consent and either shares the requested account data (in the case of an AISP) or confirms the payment initiation instruction (in the case of a PISP). The TPP never handles the user’s banking credentials directly, with all authentication taking place at the bank. Let’s delve deeper into the two main types of TPPs: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
Key Takeaways: #
- Third Party Providers (TPPs) are regulated entities authorised under PSD2 to access bank account data or initiate payments on behalf of users, with their explicit consent;
- There are two main types: Account Information Service Providers (AISPs), which provide read-only access to account data, and Payment Initiation Service Providers (PISPs), which initiate payments directly from a user’s bank account;
- TPPs must be licensed by a national competent authority and listed on the relevant national or EBA registers.
The Two Main Types of TPPs #
Account Information Service Providers (AISPs): AISPs are authorised to access and consolidate financial account data from one or more banks, with the account holder’s consent. This is a read-only service; AISPs can retrieve balances, transaction history, and account details, but cannot move funds. The data is presented through a unified interface, eliminating the need to log into each bank separately.
Key applications of AISP services include:
- Personal finance management: aggregating accounts to track spending, categorise transactions, and support budgeting across multiple institutions
- Business cash flow monitoring: providing finance teams with a consolidated, real-time view of balances and transactions across multiple bank accounts or legal entities
- Creditworthiness and affordability assessment: enabling lenders to evaluate an applicant’s real transaction data – income, outgoings, and financial behaviour – with their consent, supporting faster and more accurate lending decisions
- Automated bookkeeping: feeding transaction data directly into accounting platforms for expense categorisation, VAT identification, and financial reporting
Payment Initiation Service Providers (PISPs) PISPs are authorised to initiate payment transactions directly from a user’s bank account on their behalf, bypassing traditional card networks or manual bank transfer processes. The user authorises the payment through their bank’s authentication interface, and the PISP instructs the payment but does not hold or handle the funds at any point.
Key applications of PISP services include:
- E-commerce checkout payments: enabling consumers to pay merchants directly from their bank account at checkout, without entering card details
- Account-to-account (A2A) transfers: facilitating direct bank-to-bank payments for individuals and businesses, reducing reliance on card rails
- Reduced merchant processing costs: by bypassing card networks, PISP-initiated payments eliminate interchange fees, lowering the cost of payment acceptance for merchants
- Recurring and scheduled payments: initiating variable or fixed recurring payments directly from a user’s account, with appropriate consent frameworks in place
Regulatory Framework for TPPs
TPPs operate within a strict regulatory environment under PSD2. Before accessing any account data or initiating payments, a TPP must obtain authorisation or registration from a national competent authority – such as the FCA in the UK, or the equivalent regulator in their home EU member state. Authorised TPPs are listed on national registers and the EBA’s central register, which can be used to verify a provider’s legitimacy. TPPs are bound by GDPR data protection obligations and are required to implement strong customer authentication (SCA) standards for all interactions involving account access or payment initiation.
FAQ: #
What is the difference between an AISP and a PISP?
- An AISP accesses account data only – it is a read-only service that cannot move funds. A PISP initiates payment transactions from a user’s bank account, and it can instruct payments but does not hold or handle funds. Some providers are authorised as both AISPs and PISPs, offering combined account aggregation and payment initiation within the same platform.
How can I check if a TPP is authorised?
- TPP authorisations can be verified through the relevant national competent authority register. The European Banking Authority (EBA) also maintains a central register of all PSD2-authorised payment institutions across the EU, available at the EBA’s official website.
Baseella allows you to remain compliant with the obligations of providing access to your customer data. Contact us to learn how you can leverage your payments technology.
