We are three main French Account Information Services Providers (AISP) and as such, we heartily welcome this consultation as we believe that having a PII or a comparable guarantee is of prime importance for businesses like us. We totally agree that we need to be able to meet our liabilities in relation to our activities.
Yet we have some concerns to share and practical issues to rise.
Our first comment concerns a market reality: indeed no specific professional indemnity insurance really exists to cover such risk. The EBA rightly points out that “the PIS and AIS market in the EU can be described as relatively small” (recital 13). Therefore, insurance undertakings are not incentivized to develop special offer to cover our risks. We do not see in the draft RTS any practical solution to fill this gap and there are no obligation for insurers to covers our activities. Of course the market will expand in the coming years offering them opportunities but meanwhile a practical solution is needed. We therefore suggest that it should be mandatory for insurance undertakings to cover our activities at an affordable price.
To address this market gap, French AIS subscribed to a professional insurance which is the equivalent of the so called PII. In France, AIS are considered as “commercial institution”. Bankin’, Budget Insight and Linxo call the EBA to allow this insurance model to continue as it has proved its efficiency and adaptability to our business. This insurance already covers several damages combined (corporal, tangible and intangible, consecutive or non-consecutive). For instance, for Budget Insight, the insurance covers the risks related to the software and databases as well as any damage resulting from the corruption or theft of data.
Secondly, we do not think that creating a new complex kind of insurance would be an appropriate solution as this will impede a level playing field. Indeed, it might become an important barrier to entry to new AIS and PIS providers. The more the calculation formula is complex the more we limit the desire of new entrants to create Fintech actors and thus to innovate.
Finally, we share the idea that a yearly revision of the minimum monetary amount would be appropriate. Indeed our business models are rapidly growing and this seems to already be a market practice.
We strongly believe that the proposed formula which takes into account the ‘type of activity’, the ‘size of activity’ and the ‘risk profile’ is too complex and does not bring clarity to the insurance scheme. French AISPs consider that a simpler method of calculation would bring more clarity and should be focused on the mains criteria of the activity:
• For PIS, the value of the transactions initiated;
• For AIS, the number of active clients that use the AIS;
We are convinced that these two criteria encompass all criteria to judge risk, activity and size indicators that are key for the calculation. These are the two values that only matters.
Today our insurers are only taking into account the ‘type of activity’, a geographical criterion and the annual turnover of the company. Thanks to this formula insurers can establish by themselves the amount of the PII. Since the creation of this insurance system, an appropriate coverage was provided by insurers and no breach was ever experienced.
Moreover, by reuniting these two criteria the level of risk of an AIS & PIS appears. The level depends on the number of accounts it aggregates and on the value of transactions it produces. The risk criterion is intrinsically linked to both. These two criteria really cover all the others as they show the AIS/PIS exposure to the real risk. The main risk for AIS is the data leak or the theft of identifiers. Consequently the more we store, the more we are at risk. Similarly, the more we have connected accounts, the more we have data, the more we are at risk. PIS issues payments, so there are two risks linked errors or frauds. Consequently every time a PIS realizes a payment, there is a risk so the volume of the transactions is a relevant indicator.
Therefore this is not necessary to create a special method of calculation, as it will bring less clarity.
AIS players welcome the objective fulfilled in the draft RTS to ensure the efficiency of the calculation method of a PII. The PSD2 in its article 5(4) does not provide any indicators for the risk profile. According to us, the EBA should not go beyond what the legislators decided.
We understand that the Directive calls the EBA to take into account the risk profile. However, as expressed in Question 2, the French AIS believe that examining the level of risk of an activity should be based on the risk scope:
• For PIS, the value of the transactions initiated;
• For AIS, the number of active clients that make use of the AIS;
The set of quantitative indicators proposed by the EBA including: the ‘value of indemnity claims received’, the ‘geographical location of the undertaking’, ‘the number of contracts with the undertaking applying for authorization’, ‘the number of initiated payment transaction’, the ‘number of different payment accounts’ is far too complicated and not reliable.
Our proposal is simpler, and gets right to the point of what is at stake: the risks that have to be insured. The calculation should only be based on two criteria: the number of accounts the AIS aggregates and the value of transactions a PIS produces.
Our understanding is that the risks that PSD2 is willing to cover with a PII Insurance are:
• For PIS : fraud in the payments
• For AIS : fraud on the number of accounts that are synchronized
As such, we strongly ask the EBA to focus to the final aim which is that risks have to be insured. Therefore the calculation should only be based on two relevant criteria: the number of accounts the AIS aggregates and the value of transactions a PIS produces.