ING advises to aim for a solution that enables real time updates of the EBA Register from NCA's registers instead of the proposed one where the EBA Register will be updated the next business day after the NCA submits the file. The current approach in the RTS will increase significantly the operational and financial risk of ASPSPs and thus cannot exercise its duty of care towards their customer (e.g. a TPP license is revoked by a NCA on Friday due to fraud. The NCA sends an update of the register, including the information of the TPP with a revoked license to the EBA Register, who makes the changes available for public consumption on Monday. During the weekend, the TPP keeps accessing the PSU's accounts for AIS or/and PIS, even though the license is revoked. Any fraudulent behavior by the TPP will need to be refund to the PSU by the ASPSP).
Moreover, ING believes not addressing this issue will create unnecessary risk and complexity for TPPs operating cross-border. Those internationally operating TPPs can face operational problems because in the absence of machine-readable and highly accessible central register, they have to build individual connections with NCA registers in each European country where they operate. This will undermine the ambition of the PSD2, which aims to facilitate a single European digital market and cross border commerce.
ING is of the opinion that the central EBA register, that serves the purpose of verification of the authorization of PSPs, should be machine readable due to the digital nature of the dedicated interface.
Not having a machine readable register will increase the operational cost of ASPSPs significantly due to the need to introduce human resources to manually authenticate PSPs. It also increases the risk of errors to be made in the verification of the authorization of TPPs, leading to a higher risk of fraudulent transactions. At the public hearing (on September 4th) ING understood that implementing a machine readable register will delay the go live of the EBA Register approximately six months. However ING advises not to dismiss the idea of a machine readable register in total, but defining a phased approach, where the machine readable functionality is released after EBA register goes live in Q3/Q4 2018. On top of this, not being able to access the register in real-time makes it impossible for ASPSPs to verify legality of TPP-access before granting it – thus being forced to either not execute in real-time or run the risk of allowing unlawful access to the account.
We suggest to include information about the qualified certificate for electronic seals, issued by the qualified trust service provider to minimize fraud risk. We propose to include the certificate issuing date and validity date, and name of the qualified trust service provider which have issued the certificate.
We suggest to introduce a number of additional non-functional requirements:
- A concrete percentage on availability and response times has been left out from the RTS. ING understands (from the Public hearing on September 4th) that is up to the IT Project (which will be responsible for the development of the technical solution for the EBA register) to provide those requirements. ING would appreciate to get clarity on those values and include them in the next version of RTS/ITS on EBA Register. IT should aim for being in synchronization with the values already existing for electronic banking channels of ASPSPs;
- Real-time alerts of changes in the authorization of TPPs (granted license or a revoked license) would decrease the differences between the NCA and EBA register;
- Requirements for data propagation/availability (what will be the maximum time span between the registration of the PSP by the NCA and the update of the NCA register to the EBA by the NCA);
- A review clause for the functional and non-functional requirements after a certain time (i.e. 18 months). The need for such a clause would especially lie in the rapidly developing and changing landscape.
ING disagrees and proposes that credit institutions (which operate as an AISP or PISP) should be registered in the central EBA register, since else there is no way for ASPSPs to identify and authenticate such parties, thereby increasing the risk of fraud.
ING agrees with the proposed information which will be included in the EBA register. In addition ING strongly suggests to include contact details, because in case of disputes those can be handled more efficiently and the TPP can be notified more effectively for support in case of unplanned downtime and unavailability of the dedicated interface We also agree that including the services, such parties provide in the Host Member States will be beneficial.
In addition, in line with our suggestion for the question 2, ING proposes to include the information about the AIS / PIS certificate for electronic seals, such as issuing date and validity date, and the name of the qualified trust service provider which have issued the certificate. Rationale: minimize possibility for fraud and increase convenience for ASPSPs particularly in validating cross-border TPPs.
Yes, ING agrees. In line with our suggestion for the questions 2 and 6 we also suggest to include the information of the electronic seal. We insist this is of importance as in case of exempted institutions in case these parties provide AIS / PIS services.
We disagree with EBA’s approach to exclude the institutions addressed in the question 8. For the institutions addressed in this question which perform AIS / PIS activities, we suggest to adopt the same approach as for exempted institutions in Q7. Rationale: minimize possibility for fraud and increase convenience for ASPSPs particularly in validating cross-border TPPs
This information is not only necessary in the relationship between a TPP & PSP, but also in the relationship between agents of payment institutions, exempted payment institutions, account information service providers, electronic money institutions and exempted electronic money institutions and the PSPs. To ensure that those parties are easily identifiable, such parties should be included in the EBA register.