The EMA is in agreement with the objectives generally, but does have a number of concerns:
Referring to the objectives as set out in the table starting on page 7 of the consultation paper (CP). Reference to ‘enhanced supervision’ for CA objectives, is unclear. There is no reference to enhancement of supervision in PSD2 text, but rather to (i) sharing of data for ‘information’ and statistical purposes and (ii) where agents and branches are established, to ensuring compliance with Titles III and IV and (iii) more generally, to ensure compliance with Title II – which is prudential in nature, as well as (iv) provisions in relation to infringement.
The first objective ensures the host MS CA is aware of business conducted in its territory whilst the second addresses consumer or conduct of business provisions that are applicable to an establishment. The third is largely the competence of the home CA and the fourth is similarly the competence of the home CA unless agents or branches are established in a host MS.
There is some concern that reference to enhanced supervision proposes additional competence for host member states over and above that explicitly set out in PSD2 text.
It would also be helpful to clarify the different extents of competence of home and host CAs in different circumstances, and to make this as one of the objectives of the RTS. These would include distinguishing cross border provision of payment services that involve establishment from those provided under a freedom to offer services, as well as those where an agent or branch is utilised from those that do not. Similarly, the significance, if any, of outsourced services being located in a host member state.
The use of standard forms, designated contact points, triggers and deadlines for notification, as well as joint on-site inspections are all helpful in forming a framework for data sharing and cooperation.
1. Article 7(7) appears to give the CA of the host member state the power to carry out on-site inspections of entities located in its territory, but without these necessarily being established in their territory. This may extend beyond the competence of a host member state regulator, and such a request should be restricted to instances where such entities are established in the host member state.
There is additionally no qualification on the type of entity subject to an onsite visit: it can be an agent, a branch or an outsourced service provider. This should again be qualified and restricted to established agents or branches.
2. Article 8 contemplates home and host supervisors informing one another of infringements immediately. There is no test regarding the seriousness of the infringement, and this is problematic, giving rise to either non-compliance by CAs or excessive correspondence, some of which could be trivial.
The framework and the form appear to provide a good basis for communication.
We continue to be concerned over the lack of a de minimus or threshold for notification with possible resultant confusion.
An infringement could for example relate to the underlying product, or it could be a term in a user contract, or it may be a corporate governance matter etc. Would all such infringements be treated equally, and be shared between CAs? This appears excessive. We propose additional guidance on the seriousness and type of matters that would be the subject of infringement information sharing.
Additionally, it would be helpful to make reference to the scope of competence of the different CAs. Article 100(4) of PSD2 distinguishes the scope of competence of home and host CAs, with host CAs only having competence where agents or branches are ‘established’ in their jurisdiction.
The alternative approaches to reporting may give member state CA a means of collecting data on business in their jurisdictions without having to collect data for every provider that passports into that member state. The EMA does not see any significant challenges to this approach.
The datasets that are requested under paragraph 10(2) however give rise to some concern:
Paragraphs (h) and (i) require break-down of transaction volumes and values by channel, and distinguish payments coming into and out of the member state. This seems excessive and is not usually required by home member state regulators.
The volume of data requested is excessive. Given that fraud data is separately subject to fraud reporting obligations to the home member state, and is broken down by member state, there is no need to collect it again here.
Separately, an interpretation is being made in the application of provisions that relate to payment institutions with branches and agents to electronic money institutions (EMIs). Article 111 applies these on a mutatis mutandis basis.
(i) It is unclear from the text whether it is suggested that EMIs with distributors, but no agents or branches in host member states are being brought within the scope of information requirements set out at Articles 10 and 11.
(ii) If that is the case, then the EMA wishes to set out its objections to such an interpretation based on the distinct nature of distributors. Whereas both agents and branches offer payment services on behalf of the payment institution, distributors do not. They are merely outsourced service providers that do not offer regulated services in the host member state. It is therefore unreasonable to equate distributors with either agents or branches or to consider such inclusion consistent with a ‘mutatis mutandis’ application of PSD2 provisions.
(iii) It is reasonable to apply the reporting obligations to EMIs with agents or branches in host member states, but not where the only activity relates to distribution.
The data required under Article 11 is particularly voluminous, and some of the data may be of little practical value.
An example is in the value of asking passporting firms about the number of times and the subject of amendments to framework contracts in a given period= Paragraph 11(1)(e).
Similarly, unless there is a problem with customer complaint handling, why require the procedure to be communicated to the CA? Paragraph 11(1)(d).
Incident reporting is already subject to home member state reporting obligations and is communicated via the EBA to host member states; this should not be required separately here - Paragraph 11(1)(f). Furthermore, this is a prudential regulatory matter, not a conduct of business matter and should be subject to host MS CA jurisdiction.