Yes, under Article 18(1c) of PSD2, an account information service provider is also permitted to pursue business activities other than account information services.
An account information service provider may also provide one of the other seven payment services specified in Annex I to PSD2, with each service requiring an extension of the provider's licence. An account information service provider may also provide financial services (which may require a licence issued by the Dutch Authority for the Financial Markets – AFM), or business activities that are not at all related to financial service provision. The regulations themselves do not set any restrictions on the types of business activities pursued by payment service providers. The relevant supervisory authority may require the establishment of a separate entity for the payment services business, where the non-payment services activities of the payment institution impair or are likely to impair either the financial soundness of the payment institution or the ability of the competent authorities to monitor the payment institution’s compliance with all obligations laid down by PSD2 (Article 11(5)).
The EBA's Guidelines under Directive (EU) 2015/2366 (PSD2) on the information to be provided for the authorisation of payment institutions and e-money institutions and for the registration of account information service providers are important in the context of applications for a licence as an account service provider. This particularly applies to Guideline 4.2, which provides that applicants must indicate whether they intend to pursue any other business activities in the next three years, and provide a description of the type and expected volume of these activities. DNB will assess the viability of the business model of an account information service provider as an independent activity.
Are account information service providers that also pursue other business activities also allowed to use the account information received with the payment service user's permission for these other business activities?
The answer is yes, but only if the payment service provider has provided GDPR consent specifically for this purpose. Pursuant to Article 67(2), under d and f, of PSD2 an account information service provider is not permitted to use information received in the context of the account information services specifically requested by the payment service user for any other purposes, in accordance with the requirements governing data protection. The payment service user must provide GDPR consent in advance if the account information service provider intends to use consolidated data for a purpose other than that for which the payment service user is entitled within the confines of the expressly requested account information service. The provisions of PSD2 then no longer apply. The payment service user does not necessarily have to receive the consolidated data that are to be used for other purposes.