– It is unclear why potential losses arising solely in the previous 12 calendar months are taken into account. If this is a suitable criterion for measuring a third-party provider’s risk potential, then developments in previous years and in the market as a whole should additionally be considered.
– An annual review of the level of insurance is appropriate.
– It is unclear how the ‘lowest tier’ rule in section 3.2.2 (particularly paragraph 39) is to be im-plemented. As we understand it, this rule has been applied in Example 1 (‘number of con-tracts’ criterion), but not in Example 2 for the ‘value of indemnity claims received’ criterion and ‘size of activity criterion for AIS’.

– It is unclear whether the components adopted cover the potential risk of involvement of third-party providers. While reference solely to business indicators is proposed, we would ac-tually have expected insurance cover to be geared more to criteria such as a risk assess-ment of the interface specifically used and general IT security. This is because third-party providers will, for example, lead to new payment processing routes, particularly as they re-ceive and forward account holders’ personal security credentials.
– It is unclear why a flat additional amount of €50,000 is to be applied for activities outside the EU. Should this point be relevant for a risk assessment of a business, then such an approach is not differentiated enough.

Separate treatment of activities in the form of account information services and activities in the form of payment initiation services is appropriate. See also our reply to question 2.

– According to Article 5(2) of PSD2, third-party providers must ‘hold a professional indemnity insurance […] to ensure that they can cover their liabilities as specified in Articles 73, 89, 90 and 92.’ For the third-party provider and the account-servicing payment service provider, the liabilities set out in the articles cited are not limited, i.e. they also cover wilfulness and negli-gence. Yet insurance terms and conditions usually contain non-liability clauses, e.g. loss of in-surance cover where the third-party provider acts wilfully or negligently. Such insurance terms and conditions would not be appropriate, however, as otherwise the right of recourse by the account-servicing payment service provider laid down in Articles 73, 89, 90 and 92 of PSD2 would be made economically worthless. Insurance terms and conditions should there-fore not contain any non-liability clause. The same goes for the option of a guarantee.
– Any deductible for the third-party provider specified in insurance terms and conditions and applying internally in its relationship with the insurance company should not apply externally in its relationship with the account-servicing payment service providers.
– The relationship between a third-party provider’s insurance company and the respective competent (supervisory) authority is not addressed. It should at least be ensured that any termination of cover by the insurance company triggers immediate, direct notification of the competent authority.