Para 10: NOT okay: The distinction in the requirements between financial institutions and PSPs is incomprehensible. PSPs should also follow 3 lines of defense model and an appropriate internal control function.

Para 100: OKAY and very much supported. Where product functionality permits, PSPs should allow PSUs to disable specific payment functionalities related to the payment services offered by the PSP to the PSU.

Para 102: OKAY and very much supported: PSPs should provide PSUs with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions, enabling them to tetect fraudulent or malicious use of their account.

ad Scope (page 34, 35): Retained Option 1b is OKAY. One guideline is better than two different ones.

ad Level of detail in prescribed requirements (page 35): Retained Option 2b is OKAY. Due to rapid advancements in technology and threat vectors, the detailed requirements are outdated shortly after publication.