Yes, we agree with the requirement for regular reviews. In a growing market, however, an annual review cycle may be insufficient and we would suggest a tiered review frequency depending on the maturity of the TPP payment sector. In the initial period of rapid growth, a quarterly review seems more appropriate to understand annual transaction volume better, whilst at a later stage the TPP might only be required to report back to the competent authorities immediately in case of significant changes in the turnover (or other meaningful parameters).
Our understanding is that the insurance amount covers all operational losses at TPPs, and that under PII, a certain amount would be insured throughout the year with contracts renewed annually. Further clarification on the mechanisms of PII (whether the insured amount would decrease if claims were made) would be helpful, as each TPP may have PII with different terms and conditions, which could confuse market participants and end customers.
It is our understanding that a large number of small transactions (and therefore smaller losses to compensate) were taken into account to create the formula in the proposed guidelines for PISP. The formula is not as appropriate for corporate transactions, where only one or two payments could breach the insured amount. While both consumer and corporate payments can incur transaction losses, the size of the loss that the insurance would have to compensate would be substantially higher for corporate transactions.
For AISPs, the risk profile and size indicators are closely related. It can be expected that for all practical purposes the size criterion will have comparatively little influence on the minimum cover. Unless the structure of the model needs to be preserved, we propose the size criterion to be removed from the formula for AISPs.
We also request clarification from the EBA regarding the fixed amount factor for TPP’s with business activities outside the EEA. The difference in risk profile remains unclear, and an additional amount of EUR 50,000 may be insufficient to cover for losses incurred outside of the EEA.
Please refer to the answer to question 2.
We agree with the logic in the background section of the Guidelines, setting out the type of activity criterion whereby the risk profile of a TPP is likely to depend on whether any other activity than that of an AISP and/or PISP is a regulated business or not. We expect that any liabilities stemming from a business subject to prudential regulations will be considered under the respective regulation and thus such additional liabilities would be outside of the scope for a PII in this context. Any insurance cover for other regulated activities, should not be used as a replacement for the PII for AISPs or PISPs.
Other activities in an unregulated business could potentially lead to an increased security risk, especially when such an activity exposes the TPP’s IT systems to other electronic interfaces. In this context, entities or businesses not covered by the directive on security of network and information systems (NIS Directive) or General Data Protection Regulation (GDPR) should be under more scrutiny due to higher risk of data leaks or data loss through hacker attacks, should they wish to handle payment services.
PSD2 does not discriminate between retail and corporate customers. The proposed formula (guideline 7.1) for PISP is not as appropriate when corporate transactions are taken into accounts, where only one or two transactions would breach the insured amount.
For the calculation of the activity criterion for PISP, we suggest the figure should be the higher of (1) the result of the equation as proposed by the EBA, and (2) the maximum payment amount per transaction the PISP will accept as stipulated in the PISPs internal risk management procedures. Determination of the activity criterion in this particular way will ensure that the PISP will not initiate a payment that would exceed the insured amount.
We further suggest that in order to avoid the payment mishandling, PISPs and clients should agree the limits for payments that could be initiated through the PISP within their contractual framework.
With the introduction of TPPs between banks and their clients, we identify below several additional significant risk drivers compared to the current environment:
• Fraudulent and negligent PISPs or AISPs: We refer here to the risk of identity theft, loss or the leaking of private data, either due to fraudulent internal activities at the TPP, or through hackers accessing an insufficiently protected server/database. As ASPSPs (banks) do not have a contractual relationship with the TPP’s, they have to rely on the process of accreditation performed by the competent authorities. Transparency of the accreditation data and details of AISPs and PISPs (through access to an online register of this data in real time) is an important risk mitigation factor for banks. We request clarification that all losses ASPSPs incur due to fraudulent and negligent internal activities at TPPs would be covered by PII to avoid introducing significant risks and to maintain stability of the financial system. If certain losses banks incur cannot be covered by the PII, it could have negative consequences on the calculation of regulatory capital in the context of operational risk.
• Compromise of customer credentials: Where customer credentials (for example, two factor authentication information) are transmitted via a TPP, no end-to-end (E2E) encryption of the data can be ensured. In common cases, data would be encrypted with Transport Layer Security (TLS), which is the successor to Secure Socket Layer (SSL) - the most common encryption protocol for secure data transfer via the internet. TLS encrypted data between the client and TPP would then be decrypted and newly encrypted at a gateway between the TPP and the bank. Therefore, during the decryption and re-encryption process, credentials are available in plain text on the TPP servers for a few moments and could theoretically be compromised by an internal or external attacker at that time. For risk mitigation, the two-factor authentication should always be performed directly between the device of the client and the infrastructure of the bank. Alternatively, if the credentials are transmitted via a TPP, the EBA should mandate the use of Hardware Security Modules (HSMs) for the decryption and encryption processes at the TPP. HSMs are tamper resistant computing devices which store secret data safely and perform cryptographic processes as encryption and decryption.
• Fraud Detection Systems: Only when a direct connection between a customer and a bank is established, a bank can utilise the full extent of session data (for example, the device’s IP address, geo-location, operating system and browser type/language settings, time stamps) and device data (such as a smartphone’s identity number, jail-broken/rooted status, operating system and version, access channel) for robust fraud detection. When the connection between customer and bank is via a TPP (as PSD2 envisions), the lack of fraud detection could be mitigated if PISPs are obliged to forward the respective parameters about sessions and devices (as above) to the bank.
Moreover, the installation of end-point malware detection systems at the PISP should be made a requirement in the RTS or guideline document.
• High Value Payments (HVPs): Corporates usually assign a maximum amount to each authorised signatory, and require collective sign-off for high value payments. While the sign-off authorisation limits and requirement of collective sign-off of corporate transactions can be seen as risk mitigants, corporate transfers can be several orders of magnitude higher than the typical retail market transactions. This exposes banks to a substantially higher risk through fraudulent transactions as banks are required to execute HVPs when they are received via a PISP with proper client credentials and when the account shows sufficient balance (or agreed credit lines/ overdraft agreements).
We agree with the EBA approach to require a minimum PII cover despite a lack of historic claims in the case of start-up PISPs/AISPs. If a new TPP (or a TPP in the initial growth phase) in its business plan envisions a certain increase in the average transaction amount which would result in a substantially insufficient PII cover before the end of the current insurance period, the TPP should be required to obtain PII to cover this. We further recommend keeping this minimum requirement where there have been no claims in the last 12 months.
PSD2 provides that banks are required to process transactions initiated through a PISPs (Article 66 of PSD2), and are further obliged to compensate their clients for any losses resulting from such processing (Article 73 of PSD2). Following a loss event, banks then have a right of recourse to the PISP (claim under PII), but would carry the risks for settling claims that might not be covered by insurance (i.e. counterparty credit risk). It is therefore critically important that the scope of insurance is wide enough to cover all operational losses at TPP. Without this minimum requirement, serious operational risks could be introduced to the payment system, which we believe is not the strategic intent of PSD2.
We therefore suggest:
• The EBA add in the guidelines the minimum scope of coverage: PII should cover fraud (external or internal at the TPP), operational misconduct (including wilful misconduct and gross negligent acts) and data privacy breaches, in addition to the standard terms of PII coverage.
• The insurance is enforceable easily: the territory of its coverage should be EU, and there should be an easy mechanism to enforce it without litigations. Even if the insurance company is located outside of the EEA, it should have to follow the respective guidelines.