Yes, under Article 18(1), under c, of the PSD2 an account information service provider is also permitted to pursue business activities other than account information services.
An account information service provider may also provide one of the other seven payment services specified in Annex I to PSD2, with each service requiring an extension of the provider's licence. An account information service provider may also provide financial services (which may require a licence issued by the Dutch Authority for the Financial Markets – AFM), or business activities that are not at all related to financial service provision. The regulations do not set any restrictions on the types of business activities pursued by payment service providers. The relevant supervisory authority may require the establishment of a separate entity for the payment services business, where the non-payment services activities of the payment institution impair or are likely to impair either the financial soundness of the payment institution or the ability of the competent authorities to monitor the payment institution’s compliance with all obligations laid down by PSD2 (Article 11(5).
The EBA's Guidelines under Directive (EU) 2015/2366 (PSD2) on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers are important in the context of applications for a licence as an account service provider. This particularly applies to Guideline 4.2, which provides that applicants must indicate whether they intend to pursue any other business activities in the next three years, and provide a description of the type and expected volume of these activities. DNB will assess the viability of the business model of an account information service provider as an independent activity.
Are account information service providers also pursuing other business activities also allowed to use the account information received with the payment service user's permission for these other business activities?
Pursuant to Article 67(2), under d and f, of PSD2 an account information service provider is not permitted to use information received in the context of the account information services specifically requested by the payment service user for any other purposes, in accordance with the requirements governing data protection. An account information service provider must at all times provide the payment service user with truly consolidated account information.
In addition, European and national regulations regarding data protection apply. Effective 25 May 2018, this is the General Data Protection Regulation (GDPR) and the national regulations based on this. Once the payment service user has received the consolidated account information, they can give an account information service provider consent to also use their data for other purposes, e.g. business activities not related to PSD2. Please note that if this (also) involves particular categories of personal data, this requires explicit consent. In other words: if an account information service provider wishes to use a payment service user's data for other purposes or activities (whether or not PSD2-related), it requires the payment service user's separate consent, in accordance with the requirements of the GDPR and subordinate national regulations. An account information service provider may never use the account data received in the context of the account information services directly for its other business activities.