We are supportive of the EBA’s objective to ensure that Professional Indemnity Insurance (PII) or Comparable Guarantee (CG) does not cause an unreasonable barrier to payment initiation service providers (PISP) or account information service providers (AISP) either entering the market or continuing to offer their services under the revised Payment Services Directive (PSD2). In formulating these guidelines and the standards specifying information requirements the EBA should also be aware of the need to ensure a level playing field between payment institutions and credit institutions.
We do feel this must be balanced with the protection of the customer, the payments ecosystem and existing providers. The overall success of the aims behind PSD2 will depend on high quality insurance which is sufficient to cover PISP/AISP liabilities, which will be increasingly significant as the market grows.
Whilst we recognise that the EBA has a difficult task in defining harmonised approaches for calculating the minimum monetary amount of PII, we are concerned that the calculation may allow for gaps in which risk will be brought into the payments ecosystem. The effects of this could be damaging to the customer who, for example, may have their information stolen, leading to a loss in customer trust in payment methods. It could also be damaging for the financial stability of existing providers, both as a PISP, AISP or banking more widely. It is critical that the liabilities of service providers are sufficiently represented by the minimum monetary amount, but not so that they represent an unnecessary burden for the service provider.
To assist the EBA in this task we have the following comments:
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
The condition to review the minimum monetary amount on an annual basis by the competent authority may not be sufficient if the undertaking is a new market entrant that may see considerable growth over a short timeframe.
The minimum monetary amount should always cover the potential liabilities of that provider, and therefore the frequency of the review should take into account the potential for growth. In any given situation, the customer and any other PSP affected by actions should always be reimbursed irrelevant of whether the AISP or PISP is undergoing slow growth or significant growth.
Given the expected growth of PISPs and AISPs, and therefore the growth of liabilities, we suggest that the EBA specify a frequency and depth with which the competent authority reviews the service provider to ensure that the minimum amount is reflective of the service provider’s activities. For example, a tiered approach in which the competent authority reviews a new market entrant with expected growth bi-, or, tri-annually (i.e. two to three times per year) may be more appropriate.
The EBA should also specify what will be reviewed. For example, when calculating the projected number of customers, or the projected volume and value of payments, the EBA should specify that evidence and rationale should be provided that supports the calculation.
It is not clear from the Guidelines whether there will be a registry in each EU member state or whether the register will be centralised. In either case, the EBA should clarify whether a relevant Competent Authority is required to re-certify or approve each undertaking on an annual basis or only new market entrants.
With reference to paragraph 11, we suggest that the EBA applies different weighting to Corporate and Retail customers.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning.
Composition of the Formula
It is our understanding that the proposed formula is not currently used within insurance practice. In particular it does not take into account certain factors that underwriters would normally consider or does not cover these factors to a sufficient extent. Specifically, the main factors which insurers may typically consider including are:
• Number and volume of transactions;
• Average value of transactions;
• Fees earned in connection with transactions, and;
• The broader control environment.
Some of these factors are captured in the proposed formula (e.g. the number and value of transactions), however the quality of the control environment cannot be captured directly in such a formula. It could be argued that the value of customer claims received in the past 12 months partially captures the control environment, although we would note that this measure could be volatile and prone to be influenced by potentially spurious claims (as claims do not need to be valid). We therefore suggest that the EBA look to include the additional factors listed above, and develop further criteria that can better capture the control environment.
Beyond the factors themselves, it is also relevant how the model has been calibrated to ensure appropriate levels of insurance cover. We would note that it is not clear how the EBA has calibrated the model (both in terms of the levels, and also the relative weightings and inflexion points relating to the various factors) to provide confidence that the formula will lead to appropriate levels of insurance. As indicated in Example 1 (section 3.2.8 of the draft guidelines), a key driver of the minimum insurance amount for PISPs is the size of activity criterion, and specifically the total value of transactions initiated historically in the last 12 months. This does not necessarily reflect the forward looking risk profile and liabilities, such as unauthorised or incorrectly executed payment transactions.
Regarding the type of activity criterion, the binary inclusion of the lowest tier (€50,000) in the calculation may not fully account for all liabilities, which depend on the scale and nature of such activities as pointed out in the proposed text. The same challenge is presented to the
binary inclusion of the lowest tier for non-EU activity. As such when using the formula, we believe that it currently sets the insurance limit too low which may not provide the level of protection required. We recommend that in further developing the formula on the aforementioned factors, the EBA consults directly with the insurance industry on how the formulae are best constructed to ensure they align with current industry practice.
Finally, in developing the formula it would be useful to take into account recent developments that have shown the significant cost of breaches. The formula must be capable of establishing a minimum monetary amount of PII which would be sufficient to cover the relative financial cost incurred if a breach such as this took place on an a PISP or a AISP.
Application of the Formula
In modelling the calculations we have come across difficulties in finding a consistent approach to obtaining the minimum amount. We suggest there is a risk that the guidelines, as they currently stand, could be interpreted differently across Competent Authorities and therefore it would be beneficial to make the guidelines as specific as possible. This would also help with setting a level-playing field between different jurisdictions.
Finally, it is not clear from the EBA’s consultation paper how the ‘Comparable Guarantee’ would work in practice. We assume that the monetary amount of the guarantee would be calculated using the same formulae as for insurance policies however guarantees can be constructed in a number of different ways and we would welcome clarity from the EBA on this.
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
When looking at the value of indemnity claims, current practice would expect this to take into account three to five years of previous claims rather than just one year. Whilst some new entrants to the market may not have this information (and as such should use the lowest tier), there are some that will have data extending beyond one year. This should be taken into account and we suggest that a longer amount of time is specified in line with current practice. Where data is not available, the lowest tier should be reflective of this extended period.
The criterion for geographical location of the undertaking may leave risks unprotected by the minimum monetary amount. The extent to which they participate in the markets outside of the EU should be reflected in their minimum monetary amount, as a claim against them within that other market may impact their ability to cover liabilities within the EU. In some cases 50,000EUR would only cover reasonable legal costs. In such cases, it may be that the guidelines should apply the same calculation used to cover their participation in the EU market, and not specify the lowest tier.
We would also question whether there is an established basis for 40%, 25%, 10%, 5%, 2.5% tiers used in Guidelines 5 and 7 or whether they are arbitrary.
Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
We understand that established credit institutions wishing to offer PIS or AIS products/services will not need to obtain additional capital or to hold specific PII insurance to cover their AIS/PIS activity. We would welcome clarity on whether these requirements will apply to card-based payment instrument issuers who are not credit institutions.
The level of risk presented by an organisation’s activities will depend on whether the organisation’s sphere of other activities are regulated as opposed to unregulated, or whether it has commercial as opposed to retail customers. In other words, servicing corporate customers would increase the risk of an entity. We understand that the PISP and AISP provisions of PSD2 also apply to corporate, private and high value banking and therefore, PISPs with an appetite to service these customers. Indeed if a high value banking customer chose to use a PISP, the AS PSP under the provisions of PSD2 would be obliged to treat these payments no differently.
Since the value of a SEPA payment differs from provider to provider and whether a customer is a consumer or a business, consideration should be given for this. In the UK for example, there is a set limit in place for Faster Payments of £250,000 (though some PSPs implement lower maximum amounts). It is also possible to initiate a CHAPS payment from some UK customer accounts, especially business customers; although this is entirely dependent on the AS PSP’s online banking interface (also true of SEPA payment and limits) and some AS PSPs widely allow this. CHAPS payments are transferred irrevocably the same day and there is no limit to the amount that can be paid.
The nature of the other activities which providers undertake, for example, if they are technology providers which service customers more widely than just as a PISP or AISP, will carry different risks, and therefore will affect the overall risk and potential liabilities of the service provider. We believe that the insurance providers’ underwriters will be best placed to determine the levels of risks posed by the organisation’s activity. The criteria would benefit from being nuanced to reflect the risk assessment of the insurance provider.
Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? Please explain your reasoning.
The 40% figure for size of activity (and reducing percentages thereafter) may not be sufficient to deliver the necessary coverage requirement, particularly when numbers are based on a business plan rather than real life. The insurance held should represent the maximum exposure at any one time; however this will be difficult to foresee. In the corporate space transaction values could be very high and AIS/PIS providers may not be able to restrict customers from executing certain sizes of transaction.
The proposed size of activity criteria should also take into account the service the undertaking intends to provide. If they are, for example, intending to move towards high value transactions or servicing corporate customers, this must be reflected in their minimum amount of indemnity insurance even if their historic data is reflective of a lower value of transactions.
We encourage the EBA to take greater account of the value of payments expected before defining the tiers. Currently the largest proposed tier is EUR 10 million suggesting that the EBA is not expecting PIS to make large value transactions on a regular basis. However if a PIS instructs a single payment for a very large amount for example, a corporate payment worth EUR 50 million, this formula would not be sufficient unless there were restrictions on the value of single payments that a PIS can make, which we do not think is in the spirit of the Directive.
Furthermore, paragraph 71 does not appear to take into account that PIS/AIS providers may have access to multiple client accounts, thus augmenting the size and relative risk of their activities. For example, an undertaking may have 50 clients each with 10 accounts; does this mean the calculation for N should be 50 or 500?
From a data protection and fraud perspective PISP and AISP activities can actually prove more risky because of their access to accounts with multiple different providers, this could mean that in the event of a large-scale fraud or cyberattack, more customers and more providers are affected by any possible breach. The indemnity insurance should take this into account.
Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
With AISP providers, the liabilities could be significant if the AISP had a breach of data which led to acts of fraud. Under the General Data Protection Regulation (GDPR) Regulation EU 2016/679, the fines for a data breach will increase dramatically; a company could be fined up to 4% of global annual turnover or EUR 20 million, whichever is greater. The indemnity insurance for AISPs should be able to cover this eventuality in the case of a very serious data breach. In this scenario we believe that 50,000 EUR as a lowest tier would simply not cover this liability.
For example, in October 2016, TalkTalk, a telecoms company in the UK was fined £400,000 by the Information Commissioners Office, an independent authority set up to uphold information rights and data privacy for individuals within the UK. TalkTalk had failed to prevent the loss of personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, bank account details and sort codes were also lost . Total losses to TalkTalk as a result of the breach have been estimated at up to £80 million.
The minimum monetary amount to be determined by the calculation should be capable of supporting at least the level of such a penalty. Further it should be noted that the UK Prudential Regulation Authority (PRA) recently published its own consultation paper (in November 2016) on cyber insurance underwriting risk in which it highlights the need for cyber underwriting risk stress tests that explicitly consider the potential for loss aggregation (eg via the cloud or cross-product exposures). The EBA may find it useful to refer to this.
Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
Overall, we have concerns with the tiers capturing PISP and AISP activity adequately, the scope for growth and the lack of a defined approach if a PISP or AISP engages with corporates. We also feel that the business of third parties is inherently more risky than individual institutions because of the breadth of access, especially in the context of data.
The specific wording of the PII policy will be crucial and we therefore urge the EBA to state explicitly the precise elements of the service provider’s offering that require insurance cover. Whilst standard terms are unlikely to differ between insurance providers, there are a number of specific areas of cover that could be added, such as issues relating to fraud and cyber-related risk (i.e. data breach and malware).
We feel that the EBA should allow flexibility for insurance providers to further determine the minimum level of cover and to apply approaches common to the insurance industry. Examples include the use of risk factors in considering how risky an individual business is, as opposed to applying set formulas to a market which will have a wealth of innovative and incredibly varied business models. Further examples may be value of transactions, volume of transactions, target customer base and a risk framework determined by individual providers.
We are also concerned that the proposed minimum amount of 50,000 EUR for the ‘Lowest Tier’ is not sufficient, particularly in the absence of historical data, which is key to understanding the financial stability of a company. In the absence of historical data the ability to determine the credit risk of the company, and therefore their ability to both remain sustainable, and to pay for their liabilities is significantly more difficult. Further, without historical data, providers are also less able to determine the extent to which the service provider will grow. Therefore, the lowest tier must be capable of accommodating a growing liability, in order to cover the liabilities of the service provider in between the reviews of the competent authority as defined in 1.1 to 1.4.
We would therefore welcome clarity from the EBA on the explicit application of the ‘Lowest Tier’. We believe it should be applied each and every additional time that it is applicable. This is as opposed to using the ‘Lowest Tier’ once within the calculation, even if the ‘Lowest Tier’ is applicable in more than one element of the calculation.
Consideration should also be given to the possibility that the PISP/AISP’s insurer declines to pay out or does not pay out straight away, which undermines the functional requirement of refunding the customer immediately whilst investigations are ongoing.
We welcome the fact that the EBA requires PII or other comparable guarantee before authorisation of the service provider takes place. Whilst we are awaiting the EBA’s authorisation and security guidelines it seems sensible that the criteria takes into account whether these guidelines are breached, in the absence of authorisation being completely withdrawn, also that the market is closely monitored and requiring PISPs/AISPs to provide evidence of valid insurance cover to be listed as authorised and/or placing an obligation on insurance providers to notify the competent authority in the event that insurance cover lapses.