FBF understands the overall reasoning of the EBA on these proposed RTS and ITS based on articles 15(4) and 15(5) of PSD2. But FBF also clearly regrets that the EBA register will not be an operational directory to be used for identification purposes between ASPSPs and TPPS as requested in the RTS on SCA and CSC.
There is actually a real need for an operational and highly automated register to ensure operational TPPs identification checking in the non-contractual world of PSD2.
This is an essential building block for a thriving FinTech sector and a key enabler for the success of PSD2
The choice of the option regarding the automated transmission of information by National Central authorities (NCAs) is not an issue for ASPSPs. What is at stake for the FBF is that the EBA must commit for accuracy and correct updating of the data as transmitted by the competent authorities, as well as performance and usability.
Specifically in case of revocation of a PSP, the one-day updating timeframe makes the EBA register hardly useful (cf. article 11.6). Data validation in the central register should be then processed in real time (as for data manually transmitted).
Article 13 shows that the competent authorities are responsible for the information manually filled in or automatically provided to the application of the EBA’s register: this is of utmost importance to always have an accurate reflection between the information listed in the EBA register and the information listed in the national public registers.
The register must be used as a single source of reliable and accurate information.
About access by CA users, we would appreciate some clarification on the article 6 (2) about what is meant by “the other security credentials” following the 2 authentication factors. Indeed, security is key to ensure no false information is introduced in the EBA register.
A strong authentication of each National Central Authority user should then be requested.
It is imperative for the EBA Register to be machine readable if it is to be widely adopted by the PSD2 ecosystem and improve its transparency. The EBA Register should be seen as the main source of information for actors in the PSD2 ecosystem to check the permissions of other parties. If the EBA Register is not machine readable (or does not offer automated downloads of the full list as a fall-back option), it is likely that firms will develop manual processes for interrogating the Register. This would, in turn, increase risk in the ecosystem due to the potential for time delays and human error as well as have significant cost implications for participants.
Concerning search results, data should be provided in a machine-to-machine readable format as well as in accessible languages for users.
In addition, we would like EBA to consider the necessity for PSPs to download the complete EBA register at a pre-agreed periodicity. This will simplify the automatic extract of data (in a machine readable format), which then will reduce the number of access to EBA directory and help ensure a real time process.
Concerning article 7, public users are able to read, search and download the information contained in the register. We would like EBA to clarify the information provided by default when public users access the register.
We note in the article 19 that the list of the information provided for search result is very short and is less than the content of the register (e.g. no information provided on the countries where the TPP can operate).
We can understand this rationale for the search result of a public user but we believe that for professional users as PSPs, getting all information listed in the EBA register would be needed for their activity including information on the countries where PSPs are passported and for which activity (AIS/ PIS/ both).
In case of dispute with a TPP or a customer, there is a need for accessing the version of the register on the day the disputed transaction took place.
Consequently, ASPSPs should be able to ask EBA for information on the register at a precise date and hour in the past. We recommend the following amendment to article 17, adding a new paragraph 5: “EBA shall be able to send information contained in the register at a given date over a period of the last 13 months.”
At least, in particular for dispute resolution, EBA should be able to deliver an access to previous versions of the register over a period of 14 months to cover the 13 months capability of the user’s complaint for reimbursement.
Following the same reasoning, in case of dispute, we believe that National competent authorities (NCAs) should also keep a history over 13 months of their national files.
Recital 34 requests information regarding qualified certificates for each PSP for their AIS and PIS offers.
We regret that such critical information for ASPSPs was not taken into account.
We understand that the EBA electronic central register will not include credit institutions providing AIS and PIS.
We would encourage the EBA to include credit institutions who provide AIS and PIS services in the Register. It is important that the EBA Register serves as the single source of information for AISP and PISP permissions if it is to be meaningful and improve transparency in the PSD2 ecosystem.
As EBA is already maintaining a Credit Institution Register, such register should also be machine-to-machine readable with the same level of information as requested previously in our answer to Question 3 and the EBA should also provide the same access capability to previous versions over 13 months.
As such, information contained in the EBA register are not sufficient for operational matters for ASPSPs. The preferred ASPSPs option would be “the more detailed information” one, and this on a common basis – nothing optional -.
As written in the answer to question #6, contact details of the institution (phone number and email address) as well as the services provided in the Host Member States should be included in the EBA register. Moreover, we do believe that all information needed for identification purposes between ASPSPs and TPPS as requested in the RTS on SCA and CSC should be added in the EBA register in order to have an operational EBA directory.
FBF believes that having the contact details of the institution (phone number and email address) as well as the services provided in the Host Member States, is essential as contractual relation between ASPSP and AISP or PISP is not mandatory.
Moreover it would be important that those data be shared in a standardised format.
Concerning the scope of information on agents, FBF believes that having contact details such as phone number and email address as well as the description of their role – list of payment services provided- must be requested.
Given that there are instances where PSP agents do not provide the whole set of services for which the respective PSP is authorised, we would favour the inclusion of the list of payment services provided by PSP agents in the EBA Register. The EBA should consider mandating the national competent authorities to collect and publish that information in their national registers. In our view, it is important that this information is included in the Register in order for it to serve as the single source of information on PSD2 participants’ permissions.