CONTENTS
AIS/PIS Permissions
Account Information Services (AIS) and Payment Initiation Services (PIS) are specific authorisations under open banking regulations. These permissions allow licensed providers to either aggregate financial data from multiple accounts or initiate payments directly from a user's account. Both services are supervised by regulatory authorities and form a core part of the open banking framework. Regulatory authorities maintain public registers of all authorised and registered entities.
What are AIS and PIS Permissions?
Account Information Services (AIS)
AIS allows providers to access and present consolidated financial information from one or more bank accounts. Examples include budgeting apps, personal finance dashboards, or price comparison tools that recommend financial products.
Payment Institution Services (PIS)
PIS enables providers to initiate a payment on behalf of the customer directly from their bank account, without the need for debit or credit card rails such as Visa or Mastercard. Examples include e-commerce checkouts, bill payments, and recurring transactions such as streaming subscriptions where payments are initiated each month from the customer’s bank account.
Differences Between AIS and PIS
Understanding the differences between AIS and PIS in crucial for businesses aiming to leverage their full potential.
Scope of Permissions - AIS
Companies may only provide AIS where explicit customer consent has been obtained, typically through a clear and affirmative action such as a tick-box confirmation.
When offering AIS, firms are required to provide sufficient information to customers to ensure transparency, including:
- a clear description of the service scope and functionality
- details of how customer data will be used
- disclosure of whether data will be shared with any third parties
Once access was granted, the AIS uses secure Application Programming Interfaces (APIs) to access the customer’s financial data from participating banks. This data is then aggregated and presented to the user in a meaningful format, often through user-friendly dashboards.
Scope of Permissions - PIS
Same as with AIS, to provide PIS firms must obtain explicit consent. After that, when a customer initiates a payment on an e-commerce platform or within an app, the PIS securely transmits the payment request to the customer’s bank. The customer then authenticates the transaction through the bank’s mobile application or another strong authentication method. Once authentication is complete the bank transfers the funds directly from the customer’s account to the merchant’s account.
The permission does not allow the PIS to hold customer money at any point and is limited to the secure initiation of payment instructions.
Regulatory Requirements - AIS
To become an Account Information Service Provider (AISP), a business can either apply for AIS permission as part of a Payment Institution (PI) or Electronic Money Institution (EMI) licence, or, if already authorised, it can request its regulator to add AIS to its existing licence through a variation of permission.
If a business only wants to provide AIS on its own, it can register as a Registered Account Information Service Provider (RAISP) with its regulator. This is a registration process, not a full authorisation, which means the requirements are lighter than for fully authorised EMIs or PIs.
The prerequisite policies are somewhat similar but differ slightly from those required for a full EMI or PI authorisation. When it comes to registration as an AISP, the following represents the minimum documentation that must be prepared:
- Regulatory business plan
- Financial model for 3 years
- Programme of operations
- IT risk management policy
- AML/CTF policy
- Financial crime prevention policy
- Data protection policy
- Statistical data collection policy
- Incident reporting policy
- Counterparty risk management policy
- Complaints handling policy
- Risk management arrangements
- Business continuity plan
- Internal audit policy
- Terms and conditions
Even under a lighter registration regime, regulators expect firms to demonstrate that core compliance and business elements are in place before approval is granted.
An AIS registration does not require any initial capital if it is obtained on its own, without authorisation for other payment services. However, firms must have professional indemnity insurance (PII) or a comparable guarantee in place.
The required amount of insurance is calculated based on:
- Risk profile
- The type of activity
- The size of activity
Regulatory Requirements - PIS
To become a Payment Initiation Service Provider (PISP), a business must apply for authorisation as a Payment Institution (PI) with its regulator. There is no separate "PISP licence" in law, but authorisation to provide payment initiation services is granted within the PI framework. A firm already authorised as a PI or Electronic Money Institution (EMI) can also request its regulator to add PIS to its existing licence through a variation of permission.
Although not a distinct licence type, PISP authorisation is treated as a specific service within the PI regime, with its own set of requirements. This reflects the higher regulatory expectations placed on firms permitted to initiate transactions on behalf of customers.
The prerequisite policies should be more elaborate than those for AISP registration and must demonstrate stronger operational and governance standards.
If a firm wants to provide only the payment initiation service, often referred to as obtaining a PISP licence, it must have at least EUR 50,000 in initial capital. In addition, the firm is required to hold PII or an equivalent guarantee that covers all the countries where it will offer payment initiation services similar to AIS.
Consumer Protection Linked to AIS and PIS Permissions
The regulatory framework around AIS and PIS is strongly shaped by open banking regulations and continues to evolve to reinforce consumer safeguards.
Fraud prevention and liability
- Strong Customer Authentication (SCA): This two-step verification significantly reduces fraud. For AIS, SCA is applied at first access, while subsequent data requests can be handled by the AISP unless fraud is suspected.
- Spoofing and impersonation fraud: Regulatory frameworks increasingly expand refund rights to victims of sophisticated frauds, such as when criminals impersonate banks. Where spoofing is convincing and the customer has not acted with gross negligence, the payment service provider (PSP) must refund the loss.
- IBAN/name verification: Credit transfers, including those initiated by PISPs, are subject to name/IBAN checks to prevent misdirected payments.
Refund rights
- Customers gain the right to claim damages in cases where fraud occurs due to spoofing or technical failures in verification services. Refunds are conditional on timely reporting and absence of gross negligence.
Transparency of services
- AISPs and PISPs must provide clear and accessible information on service scope, how data is used, and with whom it is shared.
- Payment account statements must identify payees clearly (e.g., using commercial trade names) to reduce disputes or confusion.
- Charges, conversion costs, and settlement times must be transparent, especially for international transactions.
Data protection and control
- Access to personal data is limited to what is strictly necessary to provide the service, ensuring compliance with data protection regulations.
- Banks are required to provide customers with dashboards where all active consents given to AISPs or PISPs can be viewed and revoked.
Complaints and redress
- AISPs and PISPs must handle customer complaints within 15 days. If unresolved, cases may be escalated to the relevant out-of-court dispute resolution body.
- Customers retain legal protections and oversight via their regulator, as well as access to compensation schemes depending on the type of failure.
Ongoing Responsibilities
Once authorised, AISPs and PISPs must maintain compliance on an ongoing basis:
- Regulatory Reporting – submitting periodic reports to their regulator in line with applicable requirements.
- Fraud Prevention & Monitoring – robust internal controls to detect suspicious activity.
- Complaint Handling – adhering to guidelines and rules on complaints management, including reporting obligations.
AIS and PIS permissions are often obtained together by fintech firms entering the open banking ecosystem. While they carry lighter capital requirements than an EMI/PI licence, regulators still expect firms to be ready, willing, and organised before granting approval, and to operate in line with regulatory technical standards.
About Us
We are a team of former MLROs, compliance officers, and fintech and regtech professionals, dedicated to guiding firms through the regulatory landscape. Since 2019, our team has actively supported customers in building, scaling and expanding fintech businesses by providing a full suite of consulting services.
Our commitment to provide end-to-end support for businesses pursuing regulated activities led to the creation of Fintheo. We are a tech-driven company that strives to offer impeccable service to customers. As part of our proposition, we also offer a purpose-built e-money software platform which is fully DORA-compliant. In 2022, we expanded our services to include Fintheo.Recruitment, a division focused on sourcing fit and proper individuals for director and management roles to support clients during the licensing process.
Fintheo. Competence. Prudence. Result.
Our Case Studies
Our Completed Projects
