Frequently asked questions on PSD2

This is a European regulation that aims to increase competition and innovation when it comes to paying and arranging your money matters. 

The PSD2 regulation allows you to give other companies, called Third Party Providers (TPPs), permission to collect your payment data from ING. For example, to offer you a total overview. Banks are then obliged to share that information. 

But only if you want to and have explicitly given permission yourself. Otherwise not.  

View how that works here.

Banks, but also non-banks, may offer account information services and payment services as a result of PSD2. We call this Third Party Providers (TPPs).  

Not every company is eligible to offer these services. PSD2 sets strict requirements and companies must apply for a permit for this.  

These requirements and the supervision of these companies are maintained in Luxembourg by the CSSF. It is also possible that the company has a license in another European country, in this case the license will be enforced by similar entities in that country.

Maybe not very much in the beginning. But there will be new types of digital services and new payment methods in (online) stores. From start-ups, from other companies but also from us of course, because we are also developing new services for you. So that you can arrange your money matters even easier.

We then share your transaction data and your balance. You give permission for this per account: you choose which company gets access to which account.

The first time we share your transaction data for the past 24 months. This is mandatory from PSD2. Then you can view the same payment data through that company as with us in your usual ING App.

  • Your account number
  • Your name
  • Name of the beneficiary
  • Beneficiary’s account number
  • Description or payment reference
  • Amount and date of the transaction

Before you give permission to a company, carefully check whether you actually know the company and whether it makes sense for them to request that permission. For example, because you want to use a service from the company for which they need that data. 

We are just as careful with your data as ever. Protecting your data is our priority and we will only share payment details with other providers of account aggregation and payment initiation services if you want us to, and only after you have given your consent to the provider beforehand. You will be able to revoke the consent at any time from the provider of payment services.

And if you do give permission, we first check whether that company benefits from a valid eIDAS (electronic IDentification, Authentication and trust Services) certificate that enables it to duly operate within the EEA region. We do this not once but every time that company tries to gain access to retrieve information. 

And we also check whether the period of your consent to that company has not yet expired.

Companies may only use your data for the purpose for which you have given their consent. The Luxembourg Data Protection Authority checks whether companies comply with agreements.  

Also handle your details with care. Consider whether you have entrusted your data to a company. For example, first view the terms and conditions and the privacy statement of the company with which you want to share your information. So you know how they will handle your data.

PSD2 provides new services that can make managing your money matters easier. But giving access to your payment account is something that you must handle with care. Before you give permission to a company, carefully check whether you actually know the company and whether it makes sense for them to request that permission. For example, because you want to use a service from the company for which they need that data. 

When you are asked to make a payment, check whether the amount and the description are correct. 

Also first view the conditions and the privacy statement of the company with which you want to share your data. So you know how they will handle your data. 

In addition, the new PSD2 regulations can be a reason for criminals to send phishing emails. So be alert to that.

PSD2 provides new services that can make managing your money matters easier. That can be services from companies other than banks. For example an app in which you manage your budget. Then you can give that app permission to request your payment details from different banks. Like this you have a total overview in that budget app. Banks are then obliged to share that information. But that only happens if you want to. Otherwise not. View how that works here.

You can give three types of access to another company:

  1. Account Information Service (AIS): you will be able to consult your payment transactions and the balance of your current account(s) held at different banks via one screen.  
  2. Payment Initiation Services (PIS): You will be able to initiate payments with your accounts at different banks from the platform of another provider.
  3. Confirmation Availability of Funds (CAF): A provider of payment services could ask if there is enough money in your current account to carry out a card transaction.

If you give permission to share your data, it can have advantages. Exchanging information will become easier and new services will come to help you make your money matters easier. From start-ups and also from other companies. 

Check here the information for corporate customers

In order to give permission, you provide a proper ‘explicit consent’ . The way it works is that you get redirected to an internal ING secured dedicated website where you do select the country of your ING account (ING Luxembourg). You then click ‘Next’ and you get access to an authentication page. Per default, the Luxtrust Token authentication page will be displayed allowing you to put your credentials (User ID, Password, OTP), but you can still select another authentication mean such as Luxtrust Mobile App, Luxtrust Smartcard, LuxTrust Scan or also Luxtrust Signing stick, if you want to.

From that moment on, you can then, depending of the service:

  • select which account you want to grant access to for a 90 days period (Account Information Services)
  • select which account you want to use to initiate a payment every time you do so (Payment Initiation Services)
  • select which account you want to grant access to for an unlimited period of time until revocation (Confirmation Availability of Funds)

Only then does another company have access to your payment accounts. So you see, you don't just give permission. You really have to do something for that yourself ! And if you do not give permission to another company, nothing will change for you.

For further details, here are the 3 different services that you can give permission for:  

1. Account Information Services: For requesting your transactions and balance of your payment accounts.

For example, an app that shows you clearly what you spend your money on. We then share your transaction data and your balance. 

Account and transaction data include:

  • Your account number
  • Your name
  • Name of the beneficiary
  • Beneficiary’s account number
  • Description or payment reference
  • Amount and date of the transaction

2. Payment Initiation Services: For payments via the platform of another company. 

You can order web shops or payment apps to make payments from your Payment account at ING. You always give the final approval for such a payment yourself using your usual way of authentication. So another company cannot make payments from your account without your permission. 

3. Confirmation Availability of Funds : Another company can inquire check balance information to know whether there is enough money in your Payment Account at ING to carry out the card transaction for that transaction. 
You can give permission to a company to check. ING will then only indicate with a ‘yes’ or ‘no’ if there is enough money in your Payment account. 

Yes you can. The initiative to share payment data always lies with you as a customer. And so you are always the one who can withdraw this permission. Withdrawal of your permission is – from the time being not legally possible at ING - but should be performed at the company to which you originally granted permission to. 

If you have given permission to another company to request your payment details from ING, for example to provide you with a financial statement or financial advice, that company will receive that information from us. Such a company may not use your data for purposes other than those for which you have given your consent. And they must, of course, handle that data with precision. View how they do that at that company. For example in the privacy statement or the conditions of that company.

Absolutely nothing. Because you only have to do something if you want to give permission. Your account details will not be shared if you do not give permission.

In that case, the account information service provider will still receive the transaction data with your name, account number, description and the amount transferred by you. Because PSD2 banks are legally obliged to share that transaction data.

However, the account information service provider may not use your transaction data for other purposes without your permission. This is stated in the General Data Protection Regulation (GDPR). The CNPD Luxembourg supervises the GDPR.

Nothing without your permission. Do you give permission for an overview of your income and expenses? Then that data may not simply be used for an overview of your creditworthiness, for example. Because for that purpose you must first give permission again.

We are just as careful with your data as ever . Protecting your data is our priority and we will only share payment details with other providers of account aggregation and payment initiation services if you want us to, and only after you have given your consent to the provider beforehand. You will be able to revoke the consent at any time from the provider of payment services.

And if you do give permission, we first check whether that company benefits from a valid eIDAS (electronic IDentification, Authentication and trust Services) certificate that enables it  to duly operate within the EEA region. We do this not once but every time that company tries to gain access to retrieve information. 

And we also check whether the period of your consent to that company has not yet expired.

Companies may only use your data for the purpose for which you have given their consent. The Luxembourg Data Protection Authority checks whether companies comply with agreements.  

Also handle your details with care. Consider whether you have entrusted your data to a company. For example, first view the terms and conditions and the privacy statement of the company with which you want to share your information. So you know how they will handle your data.

We will only share your information with another company if you have given your explicit consent. That company  must also benefit from a valid eIDAS (electronic IDentification, Authentication and trust Services) certificate that enables it  to duly operate within the EEA region

Such a company only receives a permit if they meet strict requirements. The CSSF also supervises these companies.  

So if you do give permission, we first check whether that company benefits from a valid eIDAS. We do this not once but every time that company tries to gain access to retrieve information. 

Giving access to your payment account is something that you must handle with care. Before you give permission to a company, carefully check whether you actually know the company and whether it makes sense for them to request that permission. For example, because you want to use a service from the company for which they need that data. And when you are asked to make a payment, check whether the amount and the description are correct.  

Also first view the conditions and the privacy statement of the company with which you want to share your data. So you know how they will handle your data.  

In addition, the new PSD2 regulations can be a reason for criminals  to send phishing emails. So be alert to that.

Is your question not included? Then view the other questions about PSD2 here