Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
The EACB welcomes the opportunity to participate in the public consultation on Draft Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers.
First of all, the EACB would like to stress that credit institutions have the right to offer AIS / PIS services based on their credit institution status. An open question is how credit institutions will announce that they intend to function in that role. Do they have to make a specific notification to their national competent authority? To our knowledge there are no guidelines on how this should be done. Will it be all up to national Competent Authorities to decide on that without any European level guidelines or will there be no special requirements?
We would also like to point out the need to further clarify the process through which applicants should maintain their documentation up-to-date as their businesses evolve. The revised payment services directive (PSD2) only provides for the requirement to inform on the intention to expand services to other countries but there might be other reasons for updating documentation (e.g. changes affecting the business plan).
Finally, the EACB considers that the link between these Guidelines and the Guidelines on the criteria on how to stipulate the minimum monetary amount for professional indemnity insurance should be more clearly defined. Both should be read in conjunction to have the full picture of the authorisation/registration process.
Question 1:
The objectives of the Guidelines listed in the Rationale section of the document seem not to be fully exhaustive. Indeed, the list only refers to the objectives for applicants, for competent authorities and Member States, for Payment Service Users and for the European Banking Authority. The EACB considers that the objectives for ASPSP are missing in the current Draft. Co-operative banks would like to see explicitly mentioned that the Guidelines seek to strengthen the liability regime governing the interactions between the different actors involved in electronic payment transactions. From the perspective of ASPSP, the Guidelines should provide clear and precise rules allowing to increase the certainty with which ASPSP can take decision. Ultimately, the Guidelines will contribute to assure that the principle of legal certainty is met.
• Payment Instrument Issuing Service Provider (PIISP) should be included within the current draft Guidelines because they are subject to PSD2 provisions;
• Need to clarify which Guidelines are applicable for mixed Service Providers i.e. PIS providers acting also as AIS providers;
• Distinction between PIS and EMIs is not clear as shown by the fact that most guidelines are identical (besides of capital).
• The achievement of a level playing field for applicants being one of the main objectives of the Guidelines, the EACB believes that what is provided in rationale 27 and 28 (page 12) is too vague. PSD2 gives the possibility “under certain conditions” to waive even all information requirements, on national basis, a point further strengthened by EBA Guideline 1.4. In our view, these provisions are too lax. At minimum, there should be a compulsory set of information that must always be given, and cannot be waived, e.g. description of the payment services provided and information on anti-money laundering policies implementation.
• All requirements as laid down in these Guidelines should be followed by PSPs intending to operate in other than their home countries. A level playing field would never be created, if pan-European operators face different requirements depending on the country providing them with authorization.
• Guideline 1.4 refers to concepts such as the size of the institution or the scale of their operations which are objectively measurable. It would be helpful that the text provides for some indications of how payment institutions should assess these parameters for the purposes of applying the proportionality principle.
• Guideline 3/3.1: In our view it should be made even more clear that a PSP only operating as a PIS has no right to enter into possession of funds. In order to give Competent Authorities a better possibility to judge the applicants under 3.1. c, points i and ii should be compulsory also for PISs (as it can be used to verify that they do not enter into possession of funds). Therefore, we would like to omit the sentence “unless the applicant intends to provide PIS only”. In our view this is supported by the EBA observation on page 10 (point 16) that applicants tend to incorrectly identify the service they are intending to provide. Under point 3.1. c iv, it would be helpful to have further clarity on the concept of ’’different ways” (i.e. different channels?).
• Guideline 10: Article 66. 3. b) and e) of PSD2 set that PISP cannot exchange or store payment sensitive data. However Guideline 10 refers to information requirements that PISP have to fulfilled regarding the way they process payment sensitive data. The EACB would like to request EBA further clarity on how the rules set in PSD2 have to be understood in the light of Guideline 10. Indeed, the EACB wonders whether EBA is referring to payment sensitive data directly generated by the PISP and not originated by the ASPSP. Nevertheless, if according to EBA should there be a possibility for PISP to process sensitive payment data, the EACB welcomes Guideline 10 and wants to put forward the following comments.
• Guidelines 10-12: Guideline 10 refers to the information that applicants should provide regarding the way they process sensitive data. Furthermore, Guideline 12 also includes some requirements regarding the information that should be provided regarding the collection of statistical data. The EACB believes that the Guidelines should also refer to the use of non-sensitive data or non statistical data which could also be collected and used for commercial purposes. In this case, applicants would also need to provide information on what kind of data is being collected and how it is intended to be used (i.e. for commercial purposes?).
• Guideline 12: It is not clear why statistical data" should be collected in "relation to customers" as it is purely statistical, i.e. a distribution without any link to individual data. Therefore the EACB proposes the following wording:
‘’The applicant should provide a description of the principles and definitions applicable to the collection of the statistical data on performance, transaction and fraud consisting of the following information:
a) the type of data that is collected, in relation to type of payment service, channel, instrument, jurisdictions and currencies;’’
• Guideline 15: It refers to “qualified holdings” but under other consultations (on credit institutions, EBA CP2016/19 ) the corresponding level two act refers to “shareholders and qualified holdings”. What is the difference between these two – should there be one?
• In our view, applicants should also provide the details of a contact person that the ASPSP can approach. It would make sense for those situation where an ASPSP needs to approach the payment institution to get compensation for the funds credited to the PSU for falsely executed payments due to the payment institution’s error. This requirement could be added under Guidelines 2.1. or 9.1."
• Guideline 8: Article 67. 2. b) and e) of PSD2 set that AISP cannot exchange or request payment sensitive data. Furthermore, this prohibition seems to be supported by Article 22. 1. a) of the Draft RTS on authentication and communication that EBA presented for consultation in August 2016. However Guideline 8 refers to information requirements that AISP have to fulfilled regarding the way they process payment sensitive data. The EACB would like to request EBA further clarity on how the rules set in PSD2 have to be understood in the light of Guideline 8. Indeed, the EACB wonders whether EBA is referring to payment sensitive data directly generated by the AISP and not originated by the ASPSP. Nevertheless, if according to EBA should there be a possibility for AISP to process sensitive payment data, the EACB welcomes Guideline 10 and wants to put forward the following comments.
• Guidelines 8: Guideline 8 refers to the information that applicants should provide regarding the way they process sensitive data. The EACB believes that the Guidelines should also refer to the use of non-sensitive data which could also be collected and used for commercial purposes. In this case, applicants would also need to provide information on what kind of data is being collected and how it is intended to be used (i.e. for commercial purposes?).
• Guideline 17: In our view the Guideline 17 (page 40, for PSP offering annex 1-8 services) should also apply to AIS. Even if not in possession of funds nor initiating payments they are in any case handling sensitive data and thus should be subject to certain external controls.
• Guidelines 5.2. f: If AIS are not intended to handle money, the EACB doesn’t understand why they should have a possibility to link to payments system. In contrast, they are expected to link to ASPSP which are connected to payment systems. Payment systems do not hold accounts, ASPSPs do.
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
General comments:The EACB welcomes the opportunity to participate in the public consultation on Draft Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers.
First of all, the EACB would like to stress that credit institutions have the right to offer AIS / PIS services based on their credit institution status. An open question is how credit institutions will announce that they intend to function in that role. Do they have to make a specific notification to their national competent authority? To our knowledge there are no guidelines on how this should be done. Will it be all up to national Competent Authorities to decide on that without any European level guidelines or will there be no special requirements?
We would also like to point out the need to further clarify the process through which applicants should maintain their documentation up-to-date as their businesses evolve. The revised payment services directive (PSD2) only provides for the requirement to inform on the intention to expand services to other countries but there might be other reasons for updating documentation (e.g. changes affecting the business plan).
Finally, the EACB considers that the link between these Guidelines and the Guidelines on the criteria on how to stipulate the minimum monetary amount for professional indemnity insurance should be more clearly defined. Both should be read in conjunction to have the full picture of the authorisation/registration process.
Question 1:
The objectives of the Guidelines listed in the Rationale section of the document seem not to be fully exhaustive. Indeed, the list only refers to the objectives for applicants, for competent authorities and Member States, for Payment Service Users and for the European Banking Authority. The EACB considers that the objectives for ASPSP are missing in the current Draft. Co-operative banks would like to see explicitly mentioned that the Guidelines seek to strengthen the liability regime governing the interactions between the different actors involved in electronic payment transactions. From the perspective of ASPSP, the Guidelines should provide clear and precise rules allowing to increase the certainty with which ASPSP can take decision. Ultimately, the Guidelines will contribute to assure that the principle of legal certainty is met.
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
The EACB agrees with the options chosen by EBA regarding both the way information has to be submitted to the competent authority and the identification of the payment services by the applicant. Nevertheless, we would like to make some additional comments regarding the four-part structure of the Guidelines:• Payment Instrument Issuing Service Provider (PIISP) should be included within the current draft Guidelines because they are subject to PSD2 provisions;
• Need to clarify which Guidelines are applicable for mixed Service Providers i.e. PIS providers acting also as AIS providers;
• Distinction between PIS and EMIs is not clear as shown by the fact that most guidelines are identical (besides of capital).
Question 3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
The EACB would like to make the following comments regarding how the proportionality principle has been incorporated in the framework of the Draft Guidelines:• The achievement of a level playing field for applicants being one of the main objectives of the Guidelines, the EACB believes that what is provided in rationale 27 and 28 (page 12) is too vague. PSD2 gives the possibility “under certain conditions” to waive even all information requirements, on national basis, a point further strengthened by EBA Guideline 1.4. In our view, these provisions are too lax. At minimum, there should be a compulsory set of information that must always be given, and cannot be waived, e.g. description of the payment services provided and information on anti-money laundering policies implementation.
• All requirements as laid down in these Guidelines should be followed by PSPs intending to operate in other than their home countries. A level playing field would never be created, if pan-European operators face different requirements depending on the country providing them with authorization.
• Guideline 1.4 refers to concepts such as the size of the institution or the scale of their operations which are objectively measurable. It would be helpful that the text provides for some indications of how payment institutions should assess these parameters for the purposes of applying the proportionality principle.
Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
The EACB would like to put forward the following observations relating to the information requirements set for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2:• Guideline 3/3.1: In our view it should be made even more clear that a PSP only operating as a PIS has no right to enter into possession of funds. In order to give Competent Authorities a better possibility to judge the applicants under 3.1. c, points i and ii should be compulsory also for PISs (as it can be used to verify that they do not enter into possession of funds). Therefore, we would like to omit the sentence “unless the applicant intends to provide PIS only”. In our view this is supported by the EBA observation on page 10 (point 16) that applicants tend to incorrectly identify the service they are intending to provide. Under point 3.1. c iv, it would be helpful to have further clarity on the concept of ’’different ways” (i.e. different channels?).
• Guideline 10: Article 66. 3. b) and e) of PSD2 set that PISP cannot exchange or store payment sensitive data. However Guideline 10 refers to information requirements that PISP have to fulfilled regarding the way they process payment sensitive data. The EACB would like to request EBA further clarity on how the rules set in PSD2 have to be understood in the light of Guideline 10. Indeed, the EACB wonders whether EBA is referring to payment sensitive data directly generated by the PISP and not originated by the ASPSP. Nevertheless, if according to EBA should there be a possibility for PISP to process sensitive payment data, the EACB welcomes Guideline 10 and wants to put forward the following comments.
• Guidelines 10-12: Guideline 10 refers to the information that applicants should provide regarding the way they process sensitive data. Furthermore, Guideline 12 also includes some requirements regarding the information that should be provided regarding the collection of statistical data. The EACB believes that the Guidelines should also refer to the use of non-sensitive data or non statistical data which could also be collected and used for commercial purposes. In this case, applicants would also need to provide information on what kind of data is being collected and how it is intended to be used (i.e. for commercial purposes?).
• Guideline 12: It is not clear why statistical data" should be collected in "relation to customers" as it is purely statistical, i.e. a distribution without any link to individual data. Therefore the EACB proposes the following wording:
‘’The applicant should provide a description of the principles and definitions applicable to the collection of the statistical data on performance, transaction and fraud consisting of the following information:
a) the type of data that is collected, in relation to type of payment service, channel, instrument, jurisdictions and currencies;’’
• Guideline 15: It refers to “qualified holdings” but under other consultations (on credit institutions, EBA CP2016/19 ) the corresponding level two act refers to “shareholders and qualified holdings”. What is the difference between these two – should there be one?
• In our view, applicants should also provide the details of a contact person that the ASPSP can approach. It would make sense for those situation where an ASPSP needs to approach the payment institution to get compensation for the funds credited to the PSU for falsely executed payments due to the payment institution’s error. This requirement could be added under Guidelines 2.1. or 9.1."
Question 5: Do you agree with the Guidelines on information required from applicants for registration for the provision of only service 8 of Annex I PSD2 (account information services), as set out in chapter 4.2? If not, please provide your reasoning.
The EACB would like to put forward the following observations relating to the information requirements set for the registration for the provision of only service 8 of Annex I of PSD2:• Guideline 8: Article 67. 2. b) and e) of PSD2 set that AISP cannot exchange or request payment sensitive data. Furthermore, this prohibition seems to be supported by Article 22. 1. a) of the Draft RTS on authentication and communication that EBA presented for consultation in August 2016. However Guideline 8 refers to information requirements that AISP have to fulfilled regarding the way they process payment sensitive data. The EACB would like to request EBA further clarity on how the rules set in PSD2 have to be understood in the light of Guideline 8. Indeed, the EACB wonders whether EBA is referring to payment sensitive data directly generated by the AISP and not originated by the ASPSP. Nevertheless, if according to EBA should there be a possibility for AISP to process sensitive payment data, the EACB welcomes Guideline 10 and wants to put forward the following comments.
• Guidelines 8: Guideline 8 refers to the information that applicants should provide regarding the way they process sensitive data. The EACB believes that the Guidelines should also refer to the use of non-sensitive data which could also be collected and used for commercial purposes. In this case, applicants would also need to provide information on what kind of data is being collected and how it is intended to be used (i.e. for commercial purposes?).
• Guideline 17: In our view the Guideline 17 (page 40, for PSP offering annex 1-8 services) should also apply to AIS. Even if not in possession of funds nor initiating payments they are in any case handling sensitive data and thus should be subject to certain external controls.
• Guidelines 5.2. f: If AIS are not intended to handle money, the EACB doesn’t understand why they should have a possibility to link to payments system. In contrast, they are expected to link to ASPSP which are connected to payment systems. Payment systems do not hold accounts, ASPSPs do.