AISP-Only Registration in 2026: The Complete Open Banking Guide

What an AISP does and why the regime exists

An Account Information Service Provider (AISP) is a firm that, with a customer's explicit consent, pulls account data from banks and other payment service providers through open banking APIs and presents it back to the customer in a consolidated view or uses it for a regulated downstream service. It is the lightest licensed category in the PSD2 stack and the most common entry point into open banking.

The regime exists because pre-PSD2 screen-scraping was unregulated, unreliable and a security risk. PSD2 Article 67 gave customers the right to consent to third-party access to their payment account data, and Article 33 created the AISP-only registration category for firms that provide only account information services and do not touch customer funds.

The line is strict. The moment you initiate a payment, even a sweep between two accounts that belong to the same customer, you leave Article 33 and need a PISP permission inside an authorised PI.

Registration, not authorisation: what that really means

Article 33 creates a hybrid regulatory category. AISP-only firms are registered, not authorised. Registration is lighter than full PI authorisation in four visible ways: no initial capital, no ongoing own-funds test, a shorter policy file and a fast-track timeline. It is heavier than an unregulated business in four other visible ways: mandatory PII, fit-and-proper testing, mandatory reporting and supervisory inspection.

Registered AISPs appear on the EBA central register alongside authorised institutions. Both regulator types can inspect, fine and revoke in the same way.

Professional indemnity insurance: the single most-discussed number

Because AISPs carry no capital, the only live financial buffer between the firm and a customer harm event is the PII policy. EBA guidelines on PII under PSD2 set out three criteria that feed the minimum cover calculation.

1. Risk profile criterion. Driven by the sensitivity of data handled, incident history and complaint volume. Higher-risk profiles pay a larger minimum.
2. Activity criterion. Reflects the type of AIS activity: data aggregation alone sits at the lower end, credit-underwriting or algorithmic decisioning at the top.
3. Size criterion. Based on the number of customers and accounts accessed. Scales upward as the book grows.

The formula produces a minimum insured sum: realistic policies for a seed-stage AISP start around EUR 250,000 of cover and rise with the book. Specialist fintech PII markets (Howden, Hiscox, Beazley, Marsh) price AISP cover roughly between EUR 5,000 and EUR 30,000 per year at seed stage. A comparable guarantee from a credit institution is allowed as a substitute but is rarely offered.

The policy must cover the AISP's liability to customers, to account-servicing PSPs (ASPSPs) whose APIs it accesses, and third parties. It must be in force before the day the AISP accesses its first real customer account.

The registration file and the six-step process

Article 33 and the EBA Guidelines on authorisation and registration prescribe the file. Expect the regulator to treat AIS as low-friction only on capital; everything else is PSD2-grade.

1. Programme of operations. Which data you access, from which ASPSPs, through which APIs, how consent is obtained and withdrawn, what you do with the data, how long you retain it.
2. Business plan. Three-year forecast with user, revenue and cost assumptions. Does not require stressed scenarios at the same depth as a full PI file but must be credible.
3. Governance and internal controls. Organisation chart, reporting lines, conflicts-of-interest policy, complaints-handling policy. Fit-and-proper checks on directors and qualifying shareholders.
4. Security and data protection. Description of the API clients, eIDAS certificates used for strong customer authentication, incident-management policy, GDPR alignment, DORA-aligned ICT risk framework for ICT-dependent AISPs.
5. PII evidence. Policy document and broker confirmation. If a guarantee is used, the guarantor letter.
6. AML regime. PSD2 AML obligations are lighter for AIS-only but not zero. Customer-due-diligence if you onboard users under your own brand, sanctions screening proportionate to the service, data-protection impact assessment.

Typical national clocks are 3 months from a complete file, with regulators taking 3 to 6 months in practice. Lithuania, Poland, Ireland and the UK are the most experienced AIS-only markets.

Passporting and working across the EEA

A registered AISP can passport to any other EEA state by notification through the home regulator. The mechanism is identical to a full PI: freedom of services (remote) or freedom of establishment (local branch or agents). Host states may impose local conduct rules but cannot re-authorise.

The EBA central register is the single source of truth. Each ASPSP checks the register before granting API access, and a missing or lapsed entry blocks live calls within 24 hours. The API client certificate (QWAC under eIDAS) must match the registered entity on the EBA register.

The use cases that justify an AISP registration

Founders pick AISP-only when the product uses account data as input but does not move money. Four categories dominate the market.

Outside those four, most commercial AIS use cases end up needing either PISP permission (pay-by-bank), safeguarding (holding money) or e-money issuance. At that point the AISP-only route is no longer enough and the firm upgrades to an authorised PI or EMI.

Popular AISP jurisdictions in 2026

Germany (BaFin), France (ACPR) and the Netherlands (DNB) all register AISPs but with heavier files and longer clocks. Malta and Cyprus are rarely used for AIS-only because the market is small and the ASPSP ecosystem less mature.

Data, consent and GDPR: the hidden complexity

PSD2 is the regulatory gate. GDPR is the day-to-day operational constraint. Every AISP runs a two-layer compliance stack.

• Consent under PSD2. Explicit, informed, revocable, re-asked every 180 days (being extended to 365 by PSD3). Must name the ASPSP, the data categories and the purpose.
• Legal basis under GDPR. Usually a contract (Article 6(1)(b)) or legitimate interest for the core AIS service, explicit consent for downstream processing, legitimate interest for fraud monitoring. The lawful basis must be documented in a Record of Processing Activity.
• Data minimisation. Pull only the data categories needed for the service, not a blanket all-accounts-all-time feed. Regulators have issued warnings to AISPs that requested "all accounts" when only one account was needed.
• Retention. Define and enforce a retention schedule. Common practice: raw transactions retained 90 to 180 days, derived analytics kept longer under a separate legal basis.
• Subject rights. Access, rectification, erasure, portability and objection. Build them into the product from day one. Retrofitting them after launch is painful and expensive.

Most AISP enforcement actions since 2022 started as GDPR complaints (over-collection, unclear consent) and widened into PSD2 supervisory inspections. Get the consent flow right and the rest of the file looks easy.

From PSD2 to PSD3: what changes for AISPs

PSD3 and the Payment Services Regulation reached provisional agreement on 27 November 2025, with publication expected in H1 2026 and entry into force in 2027 after a 21-month transition. For AISPs the changes are mostly positive.

1. Longer consent cycle. Consent refresh period extended from 180 to 365 days, reducing churn and improving retention.
2. Stronger ASPSP performance obligations. Clearer API performance KPIs, mandatory downtime transparency, extended working hours. Fewer broken calls.
3. Data access parity. PSR removes the fallback interface exemption for ASPSPs, so dedicated APIs become mandatory. Screen-scraping remains banned.
4. Harmonised dispute resolution. Unified rules for when and how ASPSPs can deny or suspend AIS access, with appeal rights.
5. FIDA on the horizon. The Financial Data Access Regulation extends open-banking-style access to investments, pensions, insurance and mortgages under a separate registration (Financial Information Service Provider, FISP). FIDA is still in trilogue but will almost certainly create a sister category for AISPs that expand beyond payment accounts.

Existing AISP registrations grandfather into the PSD3 regime. The re-authorisation burden for AIS-only is expected to be the lightest across PSD3 categories. Firms that already meet PSD2 and DORA requirements will not need structural changes.

Upgrade paths: when AIS alone is no longer enough

AISP-only is the right door for a narrow set of products. Any of the following triggers an upgrade to a full Payment Institution with additional permissions.

• Pay-by-bank (PISP). Initiating a payment turns you into a PISP, which needs an authorised PI with PSD2 service 7 permission. EUR 50,000 initial capital.
• Safeguarding. Holding any customer money, even briefly, requires EMI safeguarding. Cannot be added to an AIS-only registration.
• Card issuing. Issuing a card programme needs a full EMI (or PI with PSD2 service 5 permission for non-EMI cards) and a bin-sponsor arrangement.
• B2B data resale to unregulated parties. Selling raw or lightly-transformed account data outside the consented user journey is regulated by PSD2 and GDPR and cannot sit under an AIS-only registration.

A well-designed AIS-only firm plans the upgrade before filing. Most of the governance, security and data-protection work is reusable. Most of the team is already in place. The incremental file is the capital plan, safeguarding design and service-specific policies.

FAQ