Open banking is the use of open APIs that enable third-party developers to build applications and services around financial institutions. Tink provides services in the open banking industry and therefore offer services that rely on interactions with financial institutions. Our services are provided on a software-as-a-service basisand all use is governed by the terms of our Master Service Agreement.
Some open banking activities require a license or authorization under open banking legislation. Tink's platform can be configured to support both licensed and non-licensed customers and consequently, understanding the licensing configuration is important as it has legal implications. Here are some key differences that depend on licensing:
Licensed customers - Tink operates as a technical service provider when provisioning services to licensed customers and contracts with its customers like in a normal customer-vendor relationship
Non-licensed customers - Our customers redirect end-users to Tink, who then offers services that are subject to licensing requirements directly to the end-users, after which the end-users are redirected back to the customer. Our services to our customers are governed by the Master Service Agreement and our services to end-users are governed by our EULA
Want to know more about open banking or deep dive into the different terms and industry parties? You'll find more information in these resources:
What is an agent?
Under PSD2 an 'account information service' is an online service which provides consolidated information on payment accounts held by a payment service user with payment service providers. In plain language, this essentially means that non-licensed entities may not display financial information to the end-users as that activity likely qualifies as an account information service under the PSD2.
Tink can, in some limited cases and for a limited time, appoint its customer as an agent of Tink which means that the customer can display the financial information back to the end-users on behalf of Tink. Contact us if you would like to explore options.
Is Tink subject to AML-requirements?
Tink is an authorised payment institution licensed by the Swedish Financial Supervisory Authority (Finansinspektionen) to provide PIS and AIS. Therefore, Tink is subject to requirements in a number of anti money laundering and counter terrorist financing legislative acts.
We have received an onboarding form from Tink, why do we need to fill this out?
When Tink is providing services on our license, we enter into a business agreement with you as set out in the AML /TF framework. This means that Tink needs to perform a customer due diligence on you (as a part of Know Your Customer rules), which we do via this onboarding form. We also perform sanction- and PEP-screenings.
I don't want to fill out the form, can I use the services anyway?
No, you can't. If you don't complete the onboarding form and provide the requested information, Tink will not be able to provide services for you.
Why do Tink have different PIS-limits for different customers?
The AML-framework is risk based. Tink's mitigating measures in place, to handle the AML/TF-risk that we are exposed to, should be adequate to the level of risk. When assessing the AML/TF-risk, Tink is obliged to take into consideration certain factors such as for example certain geographical aspects and what operational areas the customer is active in. If a customer relationship impose higher risks, Tink will as a standard impose a lower PIS-limit to meet the increased risk.
Is Tink a data controller or a data processor?
Tink process personal data in either of two capacities depending on the relationship in which we process that personal data in.
Tink acts as a data controller when we process personal data pursuant to our agreements with consumers (i.e. all of Tink's payment service users).
Tink acts as a data processor when we process personal data on behalf of our corporate customers.
How does Tink transfer theinformation from Tink to the customer/partner when acting as a payment service provider (PSP)?
Tink transfers information about the data subjects to our customers after having provided the payment service to the data subjects. The transfer of information is a controller to controller transfer and the transfer occurs by Tink by making the information available in the customers’ account on the Tink platform.
Do you have a data processing addendum?
Yes, our Data Processing Addendum can be found here.
Does Tink transfer customer data to third countries?
Tink does not transfer customer data to any third country as described in Chapter 5 of the GDPR.
Where is data stored and processed?
All data is stored and processed within the EU/EEA.
How does Tink, when acting as the PSP, ensure that it has the right to process personal data relating to the data subjects?
Tink ensures that all data subjects are redirected to Tink Link where each data subject will enter into an agreement for the provision of the payment service, receive our privacy notice and instruct Tink to transfer the relevant information to our customer. You can find live demos of Tink Link on https://demo.tink.com.
What is Tink’s, when acting as the PSP, legal basis under the GDPR for carrying out the payment services?
Tink’s legal basis under the GDPR for providing the payment service to the data subject is article 6 (1) (b) (performance of a contract).
Is there a way for us to try Tink’s services without using real personal data?
Yes. You can register an account for free on Console where you can opt to use dummy data to test our services. You can find information about how to enable the Demo Bank in our documentation.
Has Tink implemented technical and organizational safeguards?
Yes.Tink is certified as ISO 27001 compliant and we regularly review our data security measures. We have a dedicated security team that works with all teams at Tink to ensure security in all aspects of the platform and services. We regularly conduct penetration test audits with external auditors. More information about Tink's security measures can be found in the Privacy and Security Documentation.
What kind of services do you provide directly to end-users?
We provide either account information services or payment information services to end-users. These are governed by our End-User License Agreement (EULA) and tare.
How does Tink handle consent requirements under the PSD2
When Tink operates as a PSP the PSD2 requires that we obtain explicit consent from the payment service users (or end-users) before providing payment services to them. The explicit consent is a contractual consent which Tink obtains when the payment service user interacts with us in TinkLink.
Note that the explicit consent referred to in PSD2 is separate from the legal bases stipulated in the GDPR and that Tink does not use consent as a legal basis under the GDPR.
What license does Tink have and what does it cover?
Tink is a payment institution authorised by the Swedish Financial Supervisory Authority (Finansinspektionen) to providepayment initiation services (PIS) and account information services (AIS). Note that Tink's licenses does not cover activities carried out by our customers or partners.
How can we see proof of Tink’s license?
SFSA’s Company register: https://www.fi.se/sv/vara-register/foretagsregistret/details?id=145258
EBA’s payment institution register: https://euclid.eba.europa.eu/register/pir/search
Why doesn’t Tink show up in the NCA/FSA national register in my territory?
Tink holds a Swedish license. In other EU-markets, Tink provides AIS and PIS as cross-borderservices under an EU passport (in accordance with the Principle of single authorisation).
Both the Swedish Financial Supervisory Authority's register and EBA’s payment institution register shows what markets Tink has the right to provide cross border services.
What’s the difference between using Tink’s license and our license as a customer?
Some major differences:
It is the licensed party that formally is the provider of the payment service (AIS and/or PIS).
It is the licensed party that identifies itself towards the bank when accessing the end-user's accounts.
It is the licensed party that has the relationship with the end-user, meaning that it is that entity’s T&Cs and Privacy Notice that is displayed towards the end-user.
The end-user gives its explicit consent as defined in PSD2 to the provider of the service.
The licensed party carries the regulatory risk for the service, including to comply with AML obligations for the payment service.
Tink does not allow un-licensed customers to white label TinkLink.
Can customers white label Tink Link?
While the look and feel of Tink Link can be somewhat customized within our services, we only permit licensed customers to fully white label Tink Link as we use Tink Link to ensure that we meet our regulatory requirements when provisioning services to payment service users (or end-users).