We understand that the EBA explored the technological solutions, functioning and information content which are currently in place for the EBA Register of Credit Institutions (under CRD IV). Within this context, we welcome the fact that that the EBA consulted with the national competent authorities (NCAs) with a view to establishing an efficient transmission process from the NCAs to the EBA.
However, we believe that the role of EBA Register of TPPs is materially different from that for credit institutions, and therefore should not rely on the same framework nor technological solutions. The EBA Register of Third Party Providers (TPPs) needs to be able to adapt to the future payments environment envisaged by PSD2. We believe the EBA Register should not only provide transparency for payment services users but also serve as reliable “golden source” for ASPSPs for the purpose of instant identification of TPPs. It therefore must allow for fast, frequent and automated exchange of up to date data on TPPs.
The number of transactions and payment services initiated through TPPs is expected to grow significantly over the coming years. German banks already process half a million payment transactions which are initiated by TPP and is predicted to reach millions a day across Europe within the next few years. The introduction of a register whereby data is transmitted manually, with a time delay and is non-legally binding would be inappropriate in this context. A register where manual checks to establish AISP/PISP registration would need to be carried out would interrupt and delay payments. ASPSPs should be able to promptly verify the information about the TPPs from a reliable, legally-binding, real-time updated and consolidated register that excludes the possibility of mismatch with the local registers. This will ensure a secure communication of consumers with the ASPSPs while using the services of TPPs.
PSD2 provides a unique opportunity for EBA, NCAs and ASPSP to be at the forefront of digitalisation by establishing a single, pan-European and digital registry. Such a central registry will eliminate the requirement for the simultaneous transmission of data from NCA to the EBA and eliminate the time delay issue.
The creation of a register that meets the above requirements should also be considered in connection with other aspects of PSD2: for instance it could be used in the area of qualified certificates for electronic seals that the TPPs are required to obtain from “trust centres” as defined in the RTS on Strong Customer Authentication and Secure Communication.
We ask that the EBA considers this more ambitious proposal for establishing a pan-European solution in a market-wide initiative. If this cannot be achieved we suggest the following regarding the transmission of information by NCAs to the EBA:
We support the EBA’s intention to allow technological neutrality and believe that automatic entries should be established as the default method of entering the data into the EBA register. Also, we ask that the EBA considers allowing manual entries, but only as a back-up option for contingency purposes.
We believe that the number of TPPs will increase significantly over time. However, we understand EBA’s concern that in countries where the number of the TPPs is minimal, it will be costly to establish automated solutions. Therefore, we propose that the EBA provides for an exemption for countries where the number of TPPs is below a de minimis threshold (e.g. 10 TPPs). To ensure that the exemption is only taken used by countries with a small number of TPPs, it is important to ensure that a regular review of the number of TPPs is conducted frequently.
With regards to the technological solutions for the EBA Register, we believe Option 2 would be more acceptable as it would allow for efficiency and the increased availability of data. However, it would be useful if the EBA provided clarification on how the re-load of the information will impact the availability of the EBA Register.
Timing of update
The EBA suggests that the EBA Register is updated the day after the record is introduced into local register. However, this time delay would allow for fraudulent transactions to take place before the EBA Register is updated. Relying on day-old information could result in serious risks for consumers and the ASPSPs in case of fraudulent TPP or if a TPP discontinues its registration.
To address this risk there should be functionality to allow a TPP to be blocked in real-time- especially in the case of fraud. For example, it would not be feasible to block a TPP the next day if they discontinued their registration on a Friday. This poses the significant risk that the transactions processed during the weekend could be initiated by an authorised or fraudulent TPP.
This would be most efficiently addressed through the introduction of a pan-European registry (see above) which would allow for the EBA register to be updated real-time without the need for data transmission from NCAs.
Functionality and alternative registers
In our view, the EBA register should: i) represent the only source of legally binding information about TPPs authorisation and registration; ii) include those banks that offer services of TPPs; and iii) prevail over local registers for the purpose of verification of TPPs.
In the event that the EBA register is outdated, ASPSPs will be reliant on different sources of information (e.g. local registers). These sources are based on different technical standards, sometimes relying on paperwork with only manually retrievable information, and are usually provided in local language. All of which could lead to material discrepancies in the information held in different Member States. To avoid this it is vital that the EBA register ensures there is no gap in the information contained in the local registers and that it allows for machine readable functionalities.
To achieve this we strongly encourage the EBA to consider options for a joint initiative to establish such a register in partnership with the banking industry. It could be achieved at the pan-European level (as currently being envisaged by PRETA and in our view the optimal solution) or at the national level (e.g. ISABEL in Belgium) with clear EBA guidance to ensure consistent use of required functionality across NCAs.
As an alternative, the EBA could mandate specific times when the local registers will be updated. Local registers would be required to upload the updates to their registers only a set number of times at a given time (for example twice a day: in the middle of the day and at the end of the day) with simultaneous feed of any changes into the EBA register. Any time gap between when the updates from the local register are introduced into EBA register will mean the gap in the information contained in these registers which should be avoided to allow reliance on the EBA register as a trusted source of information.
Finally, we recommend that the EBA considers issuing minimum standards for national registers to ensure that the banking industry and trust centres can rely on a harmonised, standardised and automated local registers. These should at a minimum include the potential to access national registers through automatic ways, signing up for notification of new entries / updates of the register and machine-readable functions.
Generally, we agree with the search criteria, however, we note that national numbers can vary by country which creates confusion. We therefore suggest a unique identifier that is derived from the TPPs country and the TPPs unique number. A consistent format would simplify the search and ensure the accuracy of the results.
It is important that banks are able to rely on machine enabled search and download of data from EBA register. Relying on manual feeds can contribute to additional (operational) risks and increase the costs of retrieving the information from the register.
In our view, allowing for machine-readable functionality would be the best solution: it will reduce costs for staff to perform a manual download each day, it will reduce the risk of manual errors and the time necessary to do the checks of TPPs.
Given that PSD2 is designed to facilitate safe/secure access to electronic payments systems which provide for instantaneous payments, it seems contradictory for the EBA to introduce a register which can only be accessed manually. The EBA’s approach would also risk unnecessary interruption and delay to payments as manual checks to establish AISP/PISP registration would need to be carried out.
In light of the benefits of electronic functionality it would be helpful to understand in greater detail the reasons why the EBA believes that building up the search functionality would be too expensive to mandate. As things stand it would seem that concerns around cost/delivery could be mitigated if the EBA and NCAs pool resources with the payment industry as suggested in Question 1 to introduce a common end to end system which creates:
§ A standardised and real time approach to adding/removing TPP’s;
§ A unique but standardised format for a registration number;
§ A common system as opposed to the fragmentation which will be caused by 28 countries developing stand-alone systems; and
§ A degree of certainty for those firms relying on the register to combat fraud and other financial crime.
In addition, we would ask that EBA considers the employment of the market driven functionalities (as we suggest in our response to Question 1). If a machine readable solution could not be implemented on time, as an interim solution the EBA could consider a semi-automated approach that would allow regular download of data via a file-based-download (ftp’-access). We recognise that the EBA does intend to allow the download of data, however we would like to note that it is unclear if such download is required for entire register or only in part.
As a minimum requirement, we suggest that the EBA should provide for the ability to download the data from EBA register into the csv (comma separated values) file format in order to be relied on by the banks for their checks of TPPs. This will allow the banks to initiate regular scheduled requests to automatically download all of the EBA register (and its updates), and/or each individual home member register; create a local copy of the register to verify and validate the TPP.
We believe that current non-functional requirements are high level and would benefit from further clarification. As we mentioned in the response to Question 1 above, it is of utmost importance that the EBA Register is updated simultaneously when the updates are made in the local registers.
We believe that the review of the non-functional requirements should be carried out on a quarterly basis.
The absence of TPPs in the EBA register might be confusing for consumers and therefore, we believe that for the user’s convenience, it would be important to develop one single register that would incorporate credit institutions as well. This would allow for more transparency and would simplify the search of TPPs, as well as supporting the verification process of ASPSPs as defined by Articles 65, 66 and 67 of PSD2.
We support the EBA’s approach.
We believe that it would be important that the register does contain additional details on TPPs, including official contact details of the TPPs (e.g. the details of contact person for handling dispute cases). This would be especially important in case a TPPs needs to be contacted for dispute resolution purposes. Given the immediate reimbursement of clients by APSPs in case of issues with payments, such information would allow for direct connection with the TPPs to clarify any issues and resolve disputes. We also think that it would be useful for the EBA register to include information on the markets in which TPPs are passported to provide their services.
In addition information relating to the revocation or suspension of the eIDAS certificates should be reflected in the EBA register. This would improve the security for consumers and increase the reliability of the register.
We agree with EBA’s approach.
Generally, we agree with the EBA's approach, but we trust that the information on the agents who do not provide the full range of services and the reasons for their limitation/exclusion – should be added to the EBA Register as well.