1. Member States shall ensure that a payment
service user has the right to make use of services enabling access to
account information as referred to in point (8) of Annex I. That right
shall not apply where the payment account is not accessible online.
2. The account information service provider shall:
(a) provide services only where based on the payment service user’s explicit consent;
(b) ensure that the personalised security
credentials of the payment service user are not, with the exception of
the user and the issuer of the personalised security credentials,
accessible to other parties and that when they are transmitted by the
account information service provider, this is done through safe and
(c) for each communication session,
identify itself towards the account servicing payment service
provider(s) of the payment service user and securely communicate with
the account servicing payment service provider(s) and the payment
service user, in accordance with point (d) of Article 98(1);
(d) access only the information from designated payment accounts and associated payment transactions;
(e) not request sensitive payment data linked to the payment accounts;
(f) not use, access or store any data for
purposes other than for performing the account information service
explicitly requested by the payment service user, in accordance with
data protection rules.
3. In relation to payment accounts, the account servicing payment service provider shall:
(a) communicate securely with the account information service providers in accordance with point (d) of Article 98(1); and
(b) treat data requests transmitted through
the services of an account information service provider without any
discrimination for other than objective reasons.
4. The provision of account information services
shall not be dependent on the existence of a contractual relationship
between the account information service providers and the account
servicing payment service providers for that purpose.