Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
3.1 c.iii, 3.1 d, 12.1 g, and other sub-paragraphs referencing draft contracts
This adds an unnecessary burden to applicants. Instead, would suggest that the applicant be required to put in place adequate governance measures regarding any contracts or relationships with third-party suppliers. The applicant should demonstrate how these governance procedures will work, and how they will ensure compliance with the applicant’s obligations.
4.1.a Requirements for a detailed marketing plan
This goes beyond the scope of PSD2, as it is not mentioned in the Directive. Instead, the applicant should provide clear reasoning in the business plan that there is an addressable market and that the business is sustainable.
5.1.g ‘a list of all natural or legal persons that have close links with the applicant, indicating their identity and the nature of those links’
There is nothing in PSD2 Article 5 which specifies this requirement. This requirement has an overly broad scope.
7.1.d ‘ a copy of the draft contract with credit institution, including explicit declaration of compliance with Article 10 of PSD2.’
While it is the responsibility of the applicant to ensure customer funds are safeguarded, it is unclear in this paragraph who should be making an ‘explicit declaration’. Rather than a draft contract, a signed statement by the applicant firm that it will ensure client funds are safeguarded in line with the regulation would accomplish the same task without the necessity of the signature of the credit institution, especially given that it is the applicant’s obligation and not the credit institution’s.
8.1.c ‘a confirmation of the regulatory reporting requirements that apply to the applicant’
This is odd. Perhaps change to ‘confirmation that the applicant will fulfil regulatory reporting requirements’, rather than requiring the applicant to list the requirements. This would also be future-proofed against any changes to reporting requirements that may arise.
13.1. C. ‘an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection’
This paragraph has an incredibly wide scope, doesn’t take into account the practicality of fulfilling this requirement, which is overly onerous. Large number of service providers across the product - banking connections, cybersecurity providers, cloud service providers, data/statistical software providers, infrastructure providers, etc.
Instead, we suggest that the focus be on paragraph 13.1 D, requiring the applicant ensure there are measures in place to assess and rationalise the access and connections that are allowed, and put in place mechanisms to prevent unauthorised access.
15.1 c. ‘a list of the names of all persons and other entities that have or will, in case of authorisation have qualifying holdings in the applicant’s capital, indicating in respect of each such person or entity:..’
It is sufficient for the supervising authority to know who has qualifying holdings, their identity and their suitability. If the aim of this requirement is to establish what persons or entities may have a ‘controlling interest’ and the level of such ‘control’, it may be more helpful to ask the question directly rather than asking for a detailed list of shares, security interests, premiums, etc.
15.2.e ‘the current financial position of the person, including details concerning sources of revenues, assets and liabilities, security interests and guarantees, whether granted or received;
15.2.g ‘financial information, including credit ratings and publicly available reports on any undertakings directed or owned by the person
These are overly invasive requirements which go well beyond what is written in PSD2, and are particularly concerning for authorised venture capital funds that may have a qualifying holding. This would make any investor pause before investing in a payments institution start up. In the case of a venture capital fund, there would be an long list of ‘undertakings directed or owned by the person’ and it would be unfair for the other companies who are in a given fund’s portfolio to be required to share their financial information for the licensing application of a completely unrelated company.
15.3.j. The shareholding structure of the legal person, including at least:
I. the name, date and place of birth, address and, where available, personal identification number or registration number and the respective share of capital and voting rights of all of its direct or indirect shareholders or members and beneficial owners’;
Ii. information on any shareholders agreements
Ii. the information referred to in Guideline 15(2)(c) in relation to the shareholders exercising or who may exercise significant influence.
Again, this is incredibly invasive and is not proportionate to the risk posed by the services provided by a payments institution
15.3.o annual financial statements, at the individual and, where applicable, at the consolidated and sub-consolidated group levels, for the last three financial years, where the legal person or entity has been in operation for that period of time..
Again, does not seem proportionate to the risk posed by the services provided by a payments institution
15.5. The application should set out a detailed explanation on the specific sources of funding for the participation of each person or entity having a qualifying holding in the applicant’s capital, which should include…
Not risk based, particularly where the funding may come from an authorised entity such as a fund. Scope should be given where a supervising authority is concerned about the source of funding to ask for further details. For the majority of legitimate firms, this is overly burdensome. Given other requirements in this section to understand the activities (i.e. through a CV or description of business activities) of each natural or legal person with qualifying holdings, this should be sufficient to establish source of funds.
Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
While we appreciate that the Guidelines are meant to provide clarity to applicants, there are a number of areas where we are concerned with the level of information required, and the scope with relation to PSD2.3.1 c.iii, 3.1 d, 12.1 g, and other sub-paragraphs referencing draft contracts
This adds an unnecessary burden to applicants. Instead, would suggest that the applicant be required to put in place adequate governance measures regarding any contracts or relationships with third-party suppliers. The applicant should demonstrate how these governance procedures will work, and how they will ensure compliance with the applicant’s obligations.
4.1.a Requirements for a detailed marketing plan
This goes beyond the scope of PSD2, as it is not mentioned in the Directive. Instead, the applicant should provide clear reasoning in the business plan that there is an addressable market and that the business is sustainable.
5.1.g ‘a list of all natural or legal persons that have close links with the applicant, indicating their identity and the nature of those links’
There is nothing in PSD2 Article 5 which specifies this requirement. This requirement has an overly broad scope.
7.1.d ‘ a copy of the draft contract with credit institution, including explicit declaration of compliance with Article 10 of PSD2.’
While it is the responsibility of the applicant to ensure customer funds are safeguarded, it is unclear in this paragraph who should be making an ‘explicit declaration’. Rather than a draft contract, a signed statement by the applicant firm that it will ensure client funds are safeguarded in line with the regulation would accomplish the same task without the necessity of the signature of the credit institution, especially given that it is the applicant’s obligation and not the credit institution’s.
8.1.c ‘a confirmation of the regulatory reporting requirements that apply to the applicant’
This is odd. Perhaps change to ‘confirmation that the applicant will fulfil regulatory reporting requirements’, rather than requiring the applicant to list the requirements. This would also be future-proofed against any changes to reporting requirements that may arise.
13.1. C. ‘an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection’
This paragraph has an incredibly wide scope, doesn’t take into account the practicality of fulfilling this requirement, which is overly onerous. Large number of service providers across the product - banking connections, cybersecurity providers, cloud service providers, data/statistical software providers, infrastructure providers, etc.
Instead, we suggest that the focus be on paragraph 13.1 D, requiring the applicant ensure there are measures in place to assess and rationalise the access and connections that are allowed, and put in place mechanisms to prevent unauthorised access.
15.1 c. ‘a list of the names of all persons and other entities that have or will, in case of authorisation have qualifying holdings in the applicant’s capital, indicating in respect of each such person or entity:..’
It is sufficient for the supervising authority to know who has qualifying holdings, their identity and their suitability. If the aim of this requirement is to establish what persons or entities may have a ‘controlling interest’ and the level of such ‘control’, it may be more helpful to ask the question directly rather than asking for a detailed list of shares, security interests, premiums, etc.
15.2.e ‘the current financial position of the person, including details concerning sources of revenues, assets and liabilities, security interests and guarantees, whether granted or received;
15.2.g ‘financial information, including credit ratings and publicly available reports on any undertakings directed or owned by the person
These are overly invasive requirements which go well beyond what is written in PSD2, and are particularly concerning for authorised venture capital funds that may have a qualifying holding. This would make any investor pause before investing in a payments institution start up. In the case of a venture capital fund, there would be an long list of ‘undertakings directed or owned by the person’ and it would be unfair for the other companies who are in a given fund’s portfolio to be required to share their financial information for the licensing application of a completely unrelated company.
15.3.j. The shareholding structure of the legal person, including at least:
I. the name, date and place of birth, address and, where available, personal identification number or registration number and the respective share of capital and voting rights of all of its direct or indirect shareholders or members and beneficial owners’;
Ii. information on any shareholders agreements
Ii. the information referred to in Guideline 15(2)(c) in relation to the shareholders exercising or who may exercise significant influence.
Again, this is incredibly invasive and is not proportionate to the risk posed by the services provided by a payments institution
15.3.o annual financial statements, at the individual and, where applicable, at the consolidated and sub-consolidated group levels, for the last three financial years, where the legal person or entity has been in operation for that period of time..
Again, does not seem proportionate to the risk posed by the services provided by a payments institution
15.5. The application should set out a detailed explanation on the specific sources of funding for the participation of each person or entity having a qualifying holding in the applicant’s capital, which should include…
Not risk based, particularly where the funding may come from an authorised entity such as a fund. Scope should be given where a supervising authority is concerned about the source of funding to ask for further details. For the majority of legitimate firms, this is overly burdensome. Given other requirements in this section to understand the activities (i.e. through a CV or description of business activities) of each natural or legal person with qualifying holdings, this should be sufficient to establish source of funds.