We agree in general. However, we believe that there should also be a possibility to base a comparable guarantee on own funds. An PSP should be able to hold own funds, as an alternative to a PII, to cover liabilities. Such own funds requirement could easily be calculated using the existing Method B of Article 9 PSD2.
We question whether the Geographical aspect has any relevance in this case. If the AIS and PIS operates outside the EU it is up to the AIS/PIS and the specific country to decide upon relevant insurance. Possible litigations outside of the EU should not have any impact on the users within the EU. We don’t see why an extra insurance value should be added by the EBA. Therefore, we would suggest that this component is deleted.
For the other criterions we agree in principles, but we believe the definitions are too high level. A number of the criterions should be defined in a narrower way. Below we explain our reasoning:
1. Initiated Payment Transactions. As we are a combined AIS/PIS provider most of the payment initiations we perform are between the PSUs own bank accounts, i.e. intra-bank transactions. We strongly question whether these should be included in the calculation. Transactions between an PSUs own bank accounts must be considered to have a low risk, and a substantially lower risk than payments to e.g. merchants. We would therefore suggest that the criterion excludes transactions between PSUs own bank accounts.
2. Payment Accounts accessed. First of all, this criterion should be changed to number of bank connections instead of number of accounts. The number of accounts is irrelevant to the risk level. One PSU might have one account for all his money while another PSU has several accounts in the same bank. In both these cases we are taking about one bank connection. The different accounts for a PSU within the same bank is just data being collected. The important thing to capture is bank connections. If a PSU has 3 accounts in three different banks, then we believe the risk level is higher than if the same person would have 3 accounts in the same bank. The first case would mean that the AIS would need to connect to three different banks while in the second case the AIS would only access one bank. We would therefore like to ask the EBA to replace accounts accessed with bank connections.
In the following section we will talk about bank accounts as that was the proposal from the EBA, but we still believe that payment accounts should be replaced by bank connections.
We would suggest that the EBA clarifies how this should be calculated. We do not agree that all payment accounts that has been accessed during the last 12 months should be included. The EBA needs to take into consideration that during a year the PSUs can both add and remove accounts. Our interpretation of EBAs view is that all payment accounts that has been accessed during a year should be calculated. If that is the case, we strongly disagree. The calculation needs to take into consideration that accounts are removed during a year as well, and that these should be excluded. We suggest to either use an average or to use the number of bank accounts accessed on the day of the calculation. Should the bank accounts removed not be taken into consideration there is a great risk that the AIS would be vastly over insured. If an AIS provider experience a sharp decrease in users, and hence accessed bank accounts, during the end of the year this decrease will not be taken into account. E.g. an AIS provider has accessed 1 million accounts during the first month of the 12th month period. By the sixth month the AIS loses a lot of users. By the end of the 12th month period the AIS access to 500 000 bank accounts. The number to be used for the coming 12-month period will then be 1 million, according to the suggestion by the EBA. The AIS will then need to acquire an insurance that is on a higher amount then the AIS should be needing.
3. Number of contracts. We question the value that this component brings. It seems like all risks aspects is covered in the other components and that number of contracts won’t impact the risk level of the PSP. Also, for most TPPs this number would be very small and not contributing to the overall PII. Therefore, we would suggest that this component is deleted as it only complicates the calculation.
Furthermore, we would ask the EBA to define what number of accessed account means. It is still unclear if the EBA means to only include the data from the accounts that has really been accessed, or it the EBA means to include all accounts registered with the AIS during the last 12 months’ even if it has not been accessed. Many AISs has a large number of passive users, some that has not been active for more than a year. The user still has the bank connections accounts registered with the AIS, but no data has been accessed for the last 12 months. We believe that these passive clients and their accounts should also be excluded and that the definition only covers the bank accounts that the AIS has retrieved data from during the last 12 months.
In general, we agree and believe the suggestions from the EBA is reasonable. However, we would like to questions whether a combined AIS and PIS player should calculate the risk for PIS and AIS separately and the add the two together. For us as a combined PIS and AIS provider the PIS service is more of an extension to the AIS user, i.e. for the user to be able to pay bills, make transfers etc. As both the services are for the same user we do not agree that the risk is doubled by adding the payment option to the user. We agree that there is a risk and that an insurance should be obtained. But it is our view that the risk of the additional PIS is already somewhat included in the risk for the AIS.
It would be better for a combined AIS/PIS provider to input the total data in the same formula. It would be difficult to separate some of the criterions between AIS and PIS, which would mean that the same data will be used in both calculations and hence double counted. E.g. geographical location and value of indemnity claims received would apply for both AIS and PIS. It the undertaking is a combined provider then these will be double counted as these criteria’s should be included in both the AIS and PIS calculation separately. We can’t see the rationale in this, and would therefore suggest one calculation with the total input.
We believe that the criterions need to have a narrower definition. As explained in Question 3 section 1, transactions between a PSUs own bank accounts should be excluded. Please see our answer in Question 3.
With regards the criterion for AIS the definition of number of clients needs to have a narrower definition. Many AIS providers has many passive users. These users, that are not currently using the service, should not be included. We propose that the number of clients are defined as number of clients that has refreshed data, i.e. made a connection to her bank account through the AIS, during the last 12 months. Clients that has not been active during the last 12 months should be excluded. We understand that this might be the intent from the EBA, but we would like it to be more clearly defined.
No, we do not see such criteria. Instead we would like to stress the importance of the comments above.