Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
Whilst the allowance introduced at Guideline 1.4 does calibrate the processes and controls adopted to the size and complexity of the business, the detailed elements of the submission are unchanged.
It is also unclear at what point in time the guidelines will apply to applicants. Would the guidelines apply to applicants who have submitted but not yet been authorized at the time of coming into force? Or would they only apply to prospective applicants following coming into force? We believe the latter is the more reasonable approach, but would benefit from confirmation.
There is however benefit in setting out guidelines on the regulatory analysis of what types of services are comprised in the different payment services set out in Annex 1 to PSD2. It is agreed that that these cannot be ‘comprehensive’, but they will nevertheless help guide applicants, and will reduce the need for seeking clarification from the regulator.
Paragraph 1.4: this Guideline suggests that Article 5(1)(n) PSD2 applies “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2, which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good, irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject to professional secrecy obligations as set out under PSD2 Article 24(1).
Paragraph 3.1(c)(3): requests copies of all draft contracts between the different parties. It is not clear whether CAs will be expected to review these contracts for compliance with different regulatory expectations. Having asked for and received the contracts, any absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment. 4. Paragraph 3.1(e): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is a broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
Paragraph 3.1(i): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
Paragraph 5.1(e)(iii): this Guideline suggests that a summary of the mandate is required, but then requests the full mandate, We refer to our comments above in relation to the review of contractual agreements.
Paragraph 7.1(d): requires an explicit declaration of compliance with Article 10 of PSD2 on safeguarding. It is not clear which party is required to make the declaration, so it is assumed it is the PI. The bank is in no position to make such a declaration, although it could confirm that it recognizes the purpose of the account is safeguarding and that it will not exercise any right of set-off against this account. We suggest the responsible party is clarified in the text, and if it is the bank, that the requirement is qualified as set out above.
Paragraph 8.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
Paragraph 10.1: the definition of sensitive payment data set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous, as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest the Guidelines should refrain from seeking a comprehensive elaboration of such data, and leave the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
Guideline 12: the level of detail requested is again onerous. Sight of a fraud manual at the point of application for example is excessive, particularly given that much of the value will be collated over time.
Paragraph 13.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
The additional requirement at 13.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
It is significant that Guideline 16.1 requires a detailed assessment of the competence of senior managers and directors. There should therefore be some reliance on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 13.1.
Paragraph 14.1(c): this paragraph implies that all agents will comprise establishments and that they must therefore comply with local host AML obligations. This is not the case, and this proposition is not supported by EU law. The test for establishment and for host AML compliance is more nuanced, and this requirement should be qualified with ‘established’ rather than ‘located’. This would be more consistent with PSD2, which distinguishes agents that are established from other agents – see for example PSD2 Article 29. 20. Paragraph 15.1(c): paragraphs (iii) to (v) are excessive, seeking the premium paid, security interest and finally ‘comfort letters’ that may have been provided by controllers. Whilst these may be appropriate in some circumstances, it appears disproportionate to require all applicants to submit this information.
Paragraph 15.2(e): the requirement for a detailed account of the controller’s financial position including assets, liabilities, security interests and guarantees is disproportionate and is likely to dissuade many investors from participating in a startup. A broad overview of income and interests is more appropriate and more consistent with the nature of the risk that is being addressed.22. Paragraph 15.2(f) and (g): the requirement for a description of the business activities of a controller could similarly be provided in broad terms, but comfort is sought that this does not require a detailed account of other business interests. Such a requirement will prove onerous to many investors, particularly where the investment is undertaken though a fund or VC arrangement. Paragraph (g) appears to require an extensive account of each other undertaking held by such individuals. This is likely to be time consuming, onerous for the investor and of limited value in the application process.
To this end, we would like to draw a distinction between investing in a PI or an EMI, and investing in a credit institution where there is significant credit risk. EMIs and PIs do not lend out customers’ funds, and so have a limited prudential exposure related to the proper running of the institution. Furthermore, users’ funds are subject to strict safeguarding requirements. There is little likelihood that investors would be called upon to make good losses incurred by the institution in respect of users. There may be a call for investment, but this will be a commercial matter, not a shortfall in respect of users’ funds.
We do not therefore think it appropriate to seek comfort letters, or detailed accounts of controllers’ other business interests other than is strictly necessary to establish fitness, propriety and financial soundness. PSD2 refers to evidence of their suitability with a view to sound and prudent management of the institution. It would not appear to be relevant to seek a detailed assessment of a controller’s other interests. An overall view would appear to be sufficient and consistent with the nature of a PI’s business, and the role played by a controller in such a financial institution.
Paragraph 16.1(c)(ii) makes reference to joint EBA ESMA Guidelines that are yet to be published. It is of course impossible to comment on the suitability or proportionality of these guidelines in the present context. We suggest their application should be subject to a separate consultation before they are incorporated into the present Guidelines.
1. Paragraph 1.4: this guideline suggests that Article 5(1)(n) PSD2 applies “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2, which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
2. Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject professional secrecy obligations as set out under PSD2 Article 24(1).
3. Paragraph 3.1(c)(i): requests copies of all draft contracts between the different parties - (where these exist). It is not clear whether CAs will be expected to review these contracts for compliance with different regulatory expectations. Having asked for, and received the contracts, any absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment.
We suggest that contracts only be sought where required, and that applicants be responsible for meeting regulatory expectations in respect of their provisions.
4. Paragraph 3.1(e): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is a broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
5. Paragraph 3.1(h): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
6. Paragraph 5.2(e): this guideline suggests that a summary of the mandate is required, but then requests the full mandate, We refer to our comments above in relation to the review of contractual agreements.
7. Paragraph 6.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
8. Paragraph 8.1: the definition of ‘sensitive payment data’ set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous, as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly, other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest refraining from seeking a comprehensive elaboration of such data, and leaving the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
9. Paragraph 10.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
10. The additional requirement at 10.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
11. It is significant that Guideline 11.1 requires a detailed assessment of the competence of senior managers and Directors. There should therefore be some reliance made on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 10.1.
12. Paragraph 11.1(b)(ii) makes reference to joint EBA ESMA Guidelines that are yet to be published. It is of course impossible to comment on the suitability or proportionality of these guidelines in the present context. We suggest their application should be subject to a separate consultation before they are incorporated into the present Guidelines.
Paragraph 1.4: this guideline suggests that Article 5(1)(n) PSD2 applies to electronic money institutions “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2 which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject professional secrecy obligations as set out under PSD2 Article 24(1).
Paragraph 3.1(c): the meaning of this paragraph requires clarification, without which it is not possible for the EMA to comment.
Paragraph 3.1(e)(3): requests copies of all draft contracts between the different parties. It is not clear whether CA’s will be expected to review these contracts for compliance with different regulatory expectations. Having asked for, and received the contracts, absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment.
We suggest that contracts only be sought where required, and that applicants be responsible for meeting regulatory expectations in respect of their provisions.
Paragraph 3.1(g): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
Paragraph 3.1(k): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
Paragraph 5.1(e)(i): the meaning of this paragraph requires clarification.
Paragraph 5.1(e)(iii): this guideline suggests that a summary of the mandate is required, but then requests the full mandate. We refer to our comments above in relation to the review of contractual agreements.
Paragraph 7.1(d): requires an explicit declaration of compliance with Article 10 of PSD2 on safeguarding. It is not clear which party is required to make the declaration, it is assumed it is the EMI. The bank is in no position to make such a declaration, although it could confirm that it recognizes the purpose of the account is safeguarding and that it will not exercise any right of et-off against this account. We suggest the responsible party is clarified, and if it is the bank, that the requirement is qualified as set out above.
Paragraph 8.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
Paragraph 10.1: the definition of sensitive payment data set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest refraining from seeking a comprehensive elaboration of such data, and leaving the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
Guideline 12: the level of detail requested is again onerous. Sight of a fraud manual at the point of application for example is excessive, particularly given that much of the value will be collated over time.
Paragraph 13.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
The additional requirement at 13.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
It is significant that Guideline 16.1 requires a detailed assessment of the competence of senior managers and Directors. There should therefore be some reliance made on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 13.1.
Paragraph 14.1(c): this paragraph implies that all agents and distributors will comprise establishments and that they must therefore comply with local host AML obligations. This is not the case, and this proposition is not supported by EU law. The test for establishment and for host AML compliance is more nuanced, and this requirement should be qualified with ‘established’ rather than ‘located’. This would be more consistent with PSD2 which distinguishes agents that are established from other agents – see for example PSD2 Article 29.
Paragraph 15.1(c): paragraphs (iii) to (v) are excessive, seeking the premium paid, security interest and finally ‘comfort letters’ that may have been provided by controllers. Whilst these may be appropriate in some circumstances, it appears disproportionate to require all applicants to submit this information.
Paragraph 15.2(e): the requirement for a detailed account of the controller’s financial position including assets, liabilities, security interests and guarantees is disproportionate and is likely to dissuade many investors from participating in startup. A broad overview of income and interests is more appropriate and more consistent with the nature of the risk that is being addressed.
Paragraph 15.2(f) and (g): the requirement for a description of the business activities of a controller could similarly be provided in broad terms, but comfort is sought that this does not require a detailed account of other business interests. Such a requirement will prove onerous to many investors, particularly where the investment is undertaken though a fund or VC arrangement. Paragraph (g) appears to require an extensive account of each other undertaking held by such individuals. This is likely to be time consuming, onerous for the investor and of limited value in the application process.
To this end, we would like to draw a distinction between investing in a PI or EMI and investing in a credit institution where there is significant credit risk. EMIs and PIs do not lend out customers’ funds, and so have a limited prudential exposure related to the proper running of the institution. Furthermore, users’ funds are subject to strict safeguarding requirements. There is little likelihood that the investors would be called upon to make good losses incurred by the institution in respect of users. There may be a call for investment, but this will be a commercial matter, not a shortfall in respect of users’ funds.
We do not therefore think it appropriate to seek comfort letters, or detailed accounts of controllers’ other business interests other than is strictly necessary to establish fitness, propriety and financial soundness. PSD2 refers to evidence of their suitability with a view to sound and prudent management of the institution. It would not appear to be relevant to seek a detailed assessment of a controller’s other interests. An overall view would appear to be sufficient and consistent with the nature of a PI/EMI’s business, and the role played by a controller in such a financial institution.
1. Paragraph 1.1: the reference to ‘all the information needed’ can be made more specific by reference to information set out in these Guidelines. Furthermore, this can be further clarified, as being subject to the size and complexity of the business of the applicant.
2. Paragraph 1.5: updating the application is a reasonable provision, but would benefit from proportionality. The updating should relate to information pertinent to the authorization assessment, and need not relate to trivial or information of no significance.
3. Furthermore, whilst information held by the CA may be relied upon, the applicant may not be aware of what information is held by the CA. This would again benefit from qualification to information of which the applicant is aware and is pertinent to the application.
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
The objectives are reasonable, but there is some concern that in trying to create a ‘level playing field’ of requirements across the EU, there is a decrease in the ability of applicants to provide information that is proportionate to the size and complexity of their businesses. Under the current guidelines a 2-man money remittance PI would be expected to produce the same set of documents as a multinational payments business.Whilst the allowance introduced at Guideline 1.4 does calibrate the processes and controls adopted to the size and complexity of the business, the detailed elements of the submission are unchanged.
It is also unclear at what point in time the guidelines will apply to applicants. Would the guidelines apply to applicants who have submitted but not yet been authorized at the time of coming into force? Or would they only apply to prospective applicants following coming into force? We believe the latter is the more reasonable approach, but would benefit from confirmation.
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
The EMA is supportive of the structure of the Guidelines.There is however benefit in setting out guidelines on the regulatory analysis of what types of services are comprised in the different payment services set out in Annex 1 to PSD2. It is agreed that that these cannot be ‘comprehensive’, but they will nevertheless help guide applicants, and will reduce the need for seeking clarification from the regulator.
Question 3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
Guideline 1.4 is helpful and will encourage firms to tailor the account of their systems to the size and complexity of their business. This could be strengthened by broadening the guidance to add: “…and when providing an account of their business” as a means of adding proportionality to the scope of documentation that may be submitted – as set out in our answer to Question 1.Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
The following are comments on individual provisions:Paragraph 1.4: this Guideline suggests that Article 5(1)(n) PSD2 applies “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2, which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good, irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject to professional secrecy obligations as set out under PSD2 Article 24(1).
Paragraph 3.1(c)(3): requests copies of all draft contracts between the different parties. It is not clear whether CAs will be expected to review these contracts for compliance with different regulatory expectations. Having asked for and received the contracts, any absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment. 4. Paragraph 3.1(e): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is a broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
Paragraph 3.1(i): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
Paragraph 5.1(e)(iii): this Guideline suggests that a summary of the mandate is required, but then requests the full mandate, We refer to our comments above in relation to the review of contractual agreements.
Paragraph 7.1(d): requires an explicit declaration of compliance with Article 10 of PSD2 on safeguarding. It is not clear which party is required to make the declaration, so it is assumed it is the PI. The bank is in no position to make such a declaration, although it could confirm that it recognizes the purpose of the account is safeguarding and that it will not exercise any right of set-off against this account. We suggest the responsible party is clarified in the text, and if it is the bank, that the requirement is qualified as set out above.
Paragraph 8.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
Paragraph 10.1: the definition of sensitive payment data set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous, as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest the Guidelines should refrain from seeking a comprehensive elaboration of such data, and leave the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
Guideline 12: the level of detail requested is again onerous. Sight of a fraud manual at the point of application for example is excessive, particularly given that much of the value will be collated over time.
Paragraph 13.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
The additional requirement at 13.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
It is significant that Guideline 16.1 requires a detailed assessment of the competence of senior managers and directors. There should therefore be some reliance on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 13.1.
Paragraph 14.1(c): this paragraph implies that all agents will comprise establishments and that they must therefore comply with local host AML obligations. This is not the case, and this proposition is not supported by EU law. The test for establishment and for host AML compliance is more nuanced, and this requirement should be qualified with ‘established’ rather than ‘located’. This would be more consistent with PSD2, which distinguishes agents that are established from other agents – see for example PSD2 Article 29. 20. Paragraph 15.1(c): paragraphs (iii) to (v) are excessive, seeking the premium paid, security interest and finally ‘comfort letters’ that may have been provided by controllers. Whilst these may be appropriate in some circumstances, it appears disproportionate to require all applicants to submit this information.
Paragraph 15.2(e): the requirement for a detailed account of the controller’s financial position including assets, liabilities, security interests and guarantees is disproportionate and is likely to dissuade many investors from participating in a startup. A broad overview of income and interests is more appropriate and more consistent with the nature of the risk that is being addressed.22. Paragraph 15.2(f) and (g): the requirement for a description of the business activities of a controller could similarly be provided in broad terms, but comfort is sought that this does not require a detailed account of other business interests. Such a requirement will prove onerous to many investors, particularly where the investment is undertaken though a fund or VC arrangement. Paragraph (g) appears to require an extensive account of each other undertaking held by such individuals. This is likely to be time consuming, onerous for the investor and of limited value in the application process.
To this end, we would like to draw a distinction between investing in a PI or an EMI, and investing in a credit institution where there is significant credit risk. EMIs and PIs do not lend out customers’ funds, and so have a limited prudential exposure related to the proper running of the institution. Furthermore, users’ funds are subject to strict safeguarding requirements. There is little likelihood that investors would be called upon to make good losses incurred by the institution in respect of users. There may be a call for investment, but this will be a commercial matter, not a shortfall in respect of users’ funds.
We do not therefore think it appropriate to seek comfort letters, or detailed accounts of controllers’ other business interests other than is strictly necessary to establish fitness, propriety and financial soundness. PSD2 refers to evidence of their suitability with a view to sound and prudent management of the institution. It would not appear to be relevant to seek a detailed assessment of a controller’s other interests. An overall view would appear to be sufficient and consistent with the nature of a PI’s business, and the role played by a controller in such a financial institution.
Paragraph 16.1(c)(ii) makes reference to joint EBA ESMA Guidelines that are yet to be published. It is of course impossible to comment on the suitability or proportionality of these guidelines in the present context. We suggest their application should be subject to a separate consultation before they are incorporated into the present Guidelines.
Question 5: Do you agree with the Guidelines on information required from applicants for registration for the provision of only service 8 of Annex I PSD2 (account information services), as set out in chapter 4.2? If not, please provide your reasoning.
The following are responses to individual provisions.1. Paragraph 1.4: this guideline suggests that Article 5(1)(n) PSD2 applies “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2, which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
2. Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject professional secrecy obligations as set out under PSD2 Article 24(1).
3. Paragraph 3.1(c)(i): requests copies of all draft contracts between the different parties - (where these exist). It is not clear whether CAs will be expected to review these contracts for compliance with different regulatory expectations. Having asked for, and received the contracts, any absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment.
We suggest that contracts only be sought where required, and that applicants be responsible for meeting regulatory expectations in respect of their provisions.
4. Paragraph 3.1(e): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is a broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
5. Paragraph 3.1(h): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
6. Paragraph 5.2(e): this guideline suggests that a summary of the mandate is required, but then requests the full mandate, We refer to our comments above in relation to the review of contractual agreements.
7. Paragraph 6.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
8. Paragraph 8.1: the definition of ‘sensitive payment data’ set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous, as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly, other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest refraining from seeking a comprehensive elaboration of such data, and leaving the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
9. Paragraph 10.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
10. The additional requirement at 10.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
11. It is significant that Guideline 11.1 requires a detailed assessment of the competence of senior managers and Directors. There should therefore be some reliance made on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 10.1.
12. Paragraph 11.1(b)(ii) makes reference to joint EBA ESMA Guidelines that are yet to be published. It is of course impossible to comment on the suitability or proportionality of these guidelines in the present context. We suggest their application should be subject to a separate consultation before they are incorporated into the present Guidelines.
Question 6: Do you agree with the Guidelines on information requirements for applicants for authorisation as electronic money institutions, as set out in chapter 4.3? If not, please provide your reasoning.
The following are responses to individual provisions.Paragraph 1.4: this guideline suggests that Article 5(1)(n) PSD2 applies to electronic money institutions “regardless of the institution’s size, internal organization and the nature, scope and complexity...”. This is an overstatement of the provision in PSD2 which is silent on the impact of size, complexity etc. Whilst reputation would be expected to be good irrespective of firm size, experience and knowledge would be expected to vary with the type of firm. A large complex firm will hire a more experienced professional, whereas a small startup may require limited knowledge and experience.
Paragraph 1.5: it is not clear why ‘personal data’ is distinguished from other data for confidentiality. Applicants will expect all data to be subject professional secrecy obligations as set out under PSD2 Article 24(1).
Paragraph 3.1(c): the meaning of this paragraph requires clarification, without which it is not possible for the EMA to comment.
Paragraph 3.1(e)(3): requests copies of all draft contracts between the different parties. It is not clear whether CA’s will be expected to review these contracts for compliance with different regulatory expectations. Having asked for, and received the contracts, absence of comment may then be regarded as approval or implied consent.
Furthermore, the request for ‘draft’ contracts suggests that applicants should not have finalized agreements with third parties prior to application; a practically onerous requirement, as systems have to be put in place, integration projects put in place, systems tested etc.
It is likely that contracts will be mostly finalized, in which case there will also be limited opportunity to revise the contracts in the event of comment.
We suggest that contracts only be sought where required, and that applicants be responsible for meeting regulatory expectations in respect of their provisions.
Paragraph 3.1(g): this requests information about premises from which activities ‘related to the provision of payment services would be carried out’. This is broad requirement that could capture any activity undertaken by the applicant at all. We suggest narrowing this down to premises from which the payment service would be offered.
Paragraph 3.1(k): the requirement to indicate whether the applicant intends to provide other business activities in the future should be accompanied by a time limit. Applicants rarely know future business plans with any certainty beyond 2 years or so. Specifying a 2-3 year period would correspond to the period of the financial forecast and be reasonable.
Paragraph 5.1(e)(i): the meaning of this paragraph requires clarification.
Paragraph 5.1(e)(iii): this guideline suggests that a summary of the mandate is required, but then requests the full mandate. We refer to our comments above in relation to the review of contractual agreements.
Paragraph 7.1(d): requires an explicit declaration of compliance with Article 10 of PSD2 on safeguarding. It is not clear which party is required to make the declaration, it is assumed it is the EMI. The bank is in no position to make such a declaration, although it could confirm that it recognizes the purpose of the account is safeguarding and that it will not exercise any right of et-off against this account. We suggest the responsible party is clarified, and if it is the bank, that the requirement is qualified as set out above.
Paragraph 8.1(c): given that regulatory reporting requirements are set by the CA, it is not clear why the applicant would state these in the application.
Paragraph 10.1: the definition of sensitive payment data set out at PSD2 paragraph 4(32) is overly broad, describing such data as data that can be used to perpetrate fraud. This makes the requirements elaborated under paragraph 10.1 of the Guidelines overly onerous as a definitive list of data would be almost impossible to collate, let alone the procedure for authorizing access to each element. Similarly other requirements set out at paragraphs (c) to (i) all become onerous when applied to each individual data element that can be considered ‘sensitive payment data’.
We suggest refraining from seeking a comprehensive elaboration of such data, and leaving the application of appropriate security measures to the applicant, to be implemented where appropriate. The broad approach can still be assessed, and a view taken as to the applicant’s understanding of the obligations.
Guideline 12: the level of detail requested is again onerous. Sight of a fraud manual at the point of application for example is excessive, particularly given that much of the value will be collated over time.
Paragraph 13.1(c): the request for an ‘exhaustive list of authorized connections’ including all employees is excessive, particularly as this is unlikely to be of much value to the reviewing CA.
The additional requirement at 13.1(d) to set out controls, their nature and frequency for each such connection etc. expands on an already excessive requirement, and the value of setting such information out in the application is not demonstrated.
It is significant that Guideline 16.1 requires a detailed assessment of the competence of senior managers and Directors. There should therefore be some reliance made on the ability of such staff to deliver the security arrangements necessary, and a refrain from seeking an overly detailed account of the security processes adopted as set out at paragraph 13.1.
Paragraph 14.1(c): this paragraph implies that all agents and distributors will comprise establishments and that they must therefore comply with local host AML obligations. This is not the case, and this proposition is not supported by EU law. The test for establishment and for host AML compliance is more nuanced, and this requirement should be qualified with ‘established’ rather than ‘located’. This would be more consistent with PSD2 which distinguishes agents that are established from other agents – see for example PSD2 Article 29.
Paragraph 15.1(c): paragraphs (iii) to (v) are excessive, seeking the premium paid, security interest and finally ‘comfort letters’ that may have been provided by controllers. Whilst these may be appropriate in some circumstances, it appears disproportionate to require all applicants to submit this information.
Paragraph 15.2(e): the requirement for a detailed account of the controller’s financial position including assets, liabilities, security interests and guarantees is disproportionate and is likely to dissuade many investors from participating in startup. A broad overview of income and interests is more appropriate and more consistent with the nature of the risk that is being addressed.
Paragraph 15.2(f) and (g): the requirement for a description of the business activities of a controller could similarly be provided in broad terms, but comfort is sought that this does not require a detailed account of other business interests. Such a requirement will prove onerous to many investors, particularly where the investment is undertaken though a fund or VC arrangement. Paragraph (g) appears to require an extensive account of each other undertaking held by such individuals. This is likely to be time consuming, onerous for the investor and of limited value in the application process.
To this end, we would like to draw a distinction between investing in a PI or EMI and investing in a credit institution where there is significant credit risk. EMIs and PIs do not lend out customers’ funds, and so have a limited prudential exposure related to the proper running of the institution. Furthermore, users’ funds are subject to strict safeguarding requirements. There is little likelihood that the investors would be called upon to make good losses incurred by the institution in respect of users. There may be a call for investment, but this will be a commercial matter, not a shortfall in respect of users’ funds.
We do not therefore think it appropriate to seek comfort letters, or detailed accounts of controllers’ other business interests other than is strictly necessary to establish fitness, propriety and financial soundness. PSD2 refers to evidence of their suitability with a view to sound and prudent management of the institution. It would not appear to be relevant to seek a detailed assessment of a controller’s other interests. An overall view would appear to be sufficient and consistent with the nature of a PI/EMI’s business, and the role played by a controller in such a financial institution.
Question 7: Do you consider the Guidelines regarding the assessment of completeness of the application, as set out in chapter 4.4 to be helpful? If not, please provide your reasoning.
The following are responses to individual provisions.1. Paragraph 1.1: the reference to ‘all the information needed’ can be made more specific by reference to information set out in these Guidelines. Furthermore, this can be further clarified, as being subject to the size and complexity of the business of the applicant.
2. Paragraph 1.5: updating the application is a reasonable provision, but would benefit from proportionality. The updating should relate to information pertinent to the authorization assessment, and need not relate to trivial or information of no significance.
3. Furthermore, whilst information held by the CA may be relied upon, the applicant may not be aware of what information is held by the CA. This would again benefit from qualification to information of which the applicant is aware and is pertinent to the application.