The EPC recommends that the central EBA Register should be updated in real-time (i.e. at the same time a register of a national competent authority (NCA) is updated) and that NCAs provide updates to the EBA in a real-time manner to ensure that account-servicing payment service providers (ASPSPs):
1. Can validate that a third-party service provider (TPP) is authorised to access the account information of a payment service user (PSU) and that it does not incorrectly block a TPP because the information is not retrieved from the NCA in a real-time manner. For example when the NCA makes the authorisation status available one day later, the TPP will be blocked because the ASPSP does not have access to the information that they have been authorised.
2. Do not allow a TPP whose authorisation has been revoked to access the account information of the PSU. Moreover, if an authorisation is revoked on a Friday then the EBA Register (if not real-time) will only be updated three days later. This gap creates a significant risk that the transactions processed during the weekend might have been initiated by an unauthorised entity.
3. Can mitigate risks in case of fraud linked to a particular TPP.
Moreover, differences between the central EBA Register and NCA registers would create unnecessary risk and confusion. As a result, payment service providers (PSPs) would not be able to rely on the EBA Register and instead would need to use an alternative source e.g. all NCA registers. In such a fall-back context the EPC would recommend that an initiative be undertaken by the EBA to maximize the harmonisation of the content and format of the NCA registers.
The absence of a fully functional and operational register may hinder the achievement of one of the main ambitions of PSD2.
The EPC is strongly in favour of adding the “machine-readable” functionality (4.2.21) and providing accessibility on a 24/7/365 basis to ensure a seamless, fast, (manual) error-free and efficient process (Note: if this would not be feasible for the EBA then at least the NCA registers should be machine readable). Moreover, in the current digital world the expectation would be that the EBA central register would be available online and have the capability of being updated in real-time. More fundamentally the point could be reiterated that as designed the central EBA Register would not support the operational needs of PSPs which would need to access all NCA registers or use a third-party provider.
The EPC also believes that all potential users of the EBA register should be considered including qualified trust service providers (QTSPs) and PSUs looking to ensure that a TPP is authorised for account information services (AIS) and/or payment initiation services (PIS). In particular it cannot be expected that consumers would have to access all 28 NCA registers to find out whether a TPP is authorised or registered – especially those that have been passported into another country.
Generally speaking, the EPC however agrees with the search criteria, but in order to avoid confusion it would be suggested to consider the development of a unique identifier, consisting of the TPP’s country code and number (as currently national identifiers vary from country to country). A consistent format would simplify the search function and make search results more accurate.
As a second best option - to the machine-readable solution - the EPC would suggest for the EBA to consider an automated / semi-automated way that would allow i) to download the EBA Register data on a regular basis and ii) to electronically access the data (e.g. file-based download, ‘file transfer protocol’ access - or if not possible, as a minimum requirement, in the comma separated values (csv) file format).
The EBA Register should also include information about the qualified certificate issued by QTSPs in order to help minimise fraud risk. The EPC proposes to include the certificate’s issuing date and validity date, and the name of the QTSP which has issued the certificate.
As an additional risk mitigation feature, the EPC would like to suggest that users of the EBA Register would have the possibility of receiving a real-time alert in case for example a TPP license was withdrawn. Alternatively these alerts could be distributed by the NCAs.
More generally speaking, it would be useful for the EBA to provide further details on the proposed non-functional requirements e.g.:
• Requirements regarding availability and response times of the EBA Register;
• Requirements for data transmission/availability (e.g. what will be the maximum time span between the registration (or any change hereto) of the PSP by the NCA and the provision of the information by the NCA to the EBA);
• A clause for the review of the functional and non-functional requirements in e.g. 18 months after adoption due to a rapidly developing and changing landscape.
Whilst recognising the scope of the mandate provided by PSD2 (Article 14 (1)), the EPC would nevertheless suggest considering the inclusion of credit institutions in the central EBA Register as they can also act as payment initiation service providers (PISPs) and/or account information service providers (AISPs) - including in member states where they are not passported as credit institutions. Moreover, the EPC’s understanding is that when reading together Articles 66(4)(a) and 98(1)(d) of PSD2, the mutual authentication is a requirement, once the RTS on SCA and CSC are applicable, as the secure communication between ASPSPs and TPPs shall allow for mutual identification and authentication, notification, information and implementation of security measures between all involved PSPs. This would also suggest the need for ASPSPs to be listed in the EBA central register. In addition, the EPC would be in favour of designing the EBA Register “in such a way that it can be used for the purposes of Article 29 of the RTS on SCA and CSC, so that qualified trust service providers will be able to identify properly all TPPs, including credit institutions, to whom they are requested to issue qualified certificates for electronic seals, and account servicing payment service providers will be able to check the credentials of these TPPs” (4.2.34). This to ensure that all parties can interact with each other in a secure and effective manner.
The EPC is in favour of option a) as outlined in our other responses (see questions 2 and 6).
In order to make the central EBA Register fit for operational purposes and to allow fast/efficient resolution of potential dispute cases, the EPC is of the view that additional information such as contact details, dates of authorisation/registration, and the services provided in the Host Member States should be included. Otherwise PSPs would need to access all NCA registers or use a third-party provider and hence the added value of a central EBA Register would be limited for PSPs.
See also response to question 2.
The EPC agrees.
The same type of relevant information (relating to these entities) as for TPPs should also be included in the EBA Register in order to minimise fraud risk and facilitate validation by ASPSPs.