Under PSD2, new Third Party Providers can access new API Payments and API Data via from ASPSPs.
No contract is needed between the ASPSP and TPP for this access.
The TPP still needs to Identify itself as a valid Regulated Entity, in order for them to be given XS2A access.
This checking prevents non-Regulated Entities using XS2A, protecting both Bank systems from Technology attacks, and also protecting Customer Funds and Data (GDPR) from being misappropriated.
ASPSPs therefore need an Identification checking procedure, specifically for regulated XS2A Third Party Providers.
To make it easier for the TPP, this setup can be done once upfront, so that the TPP does not have to do this each time they access the Service. ASPSPs can then just check the regulatory status thereafter.
Finally, if this procedure is Standardised, then TPPs can follow the same steps with each ASPSP quickly and easily.