The EACB considers that it is not possible to have the certainty that the total amount of damages will not exceed the minimum monetary amount of the professional indemnity insurance (PII), especially if the forecasted number of transactions of a new Payment Initiation Service Provider (PISP) is lower than the processed volume and a major incident occurs. Therefore, PISPs should have to adapt the insurance value to its transaction volume more often than once a year.
The EACB partially agrees with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII. Please, find below specific comments on some of the indicators that are used to calculate the amount for each criterion.
The EACB does not fully agree with the indicators under the risk profile criterion. Particularly, we consider that the value of historical complaints received during the last 12 months is not necessarily an indicator of the number of complaints in the future.
The EACB has no specific comments to make on the calculation of the indicators under the type of activity criterion.
According to paragraph 7.3, new PISP/AISP (i.e. those that have not been offering their services during the last 12 months) are required to use forecasted values (i.e. number of all transactions initiated/number of clients forecasted) to calculate the size of their activity. For that purpose, PISP/AISP have to use the values as forecasted in the business plan and/or programme of operations that they are required to present as part of their applications for authorization/registration. The EACB considers that this method of calculation which is described in paragraphs 7.3 and 7.4 of Guideline 7 does not ensure that the forecasted value will cover the real value of the transactions. Instead, we would like to propose the use of the average number of all transactions initiated (for PISP) or the average number of clients (for AISP) during the last 12 months of similar operators (having same characteristics) in the relevant market.
The EACB has no specific comments to make in the framework of this question.
The EACB would like to make the following comments to ensure that PIIs cover all potential liabilities of third-party providers in accordance with PSD2:
• The two examples provided by the EBA in section 3.2.8 on how to apply the formula foresee the coverage of about 30% to 50% of the annual transaction volume. In our opinion, PISPs should be obliged to cover at least a minimum of 50% of their transaction volume.
• Regarding the subjective scope of these Guidelines, PIIs should not be limited to PISP and AISP but extended to payment service providers issuing card-based payment instruments for obtaining the availability of funds from the ASPSP. These providers will issue direct debit requests for obtaining a transfer of funds. This activity might be as risky as any other payment transaction and should also be covered.
• According to article 71 of PSD2, in case of an unauthorized or incorrectly executed transaction, payment service users must notify “without undue delay on becoming aware of any such transaction giving rise to a claim, including that under article 89, and no later than 13 months after the debit date”. Therefore, the EACB believes that PII must be valid at least 13 months after the last transaction or account information request.
• Finally, it would also be useful to clarify whether a PII is required also from credit institutions providing PIS or AIS or both. Currently, credit institutions are required to take such risks into account within the framework of their operational risk management and solvency requirement for operational risk. In any event, the EACB would like to stress that overlapping requirements should not be imposed.