Betaalvereniging Nederland (Dutch Payments Association)

ABOUT BETAALVERENIGING NEDERLAND (DUTCH PAYMENTS ASSOCIATION)

Betaalvereniging Nederland (Dutch Payments Association) organises the collective - non competitive - tasks in the national payment system for its
members. Our members are providers of payment services: banks (credit institutions), payment institutions and electronic money institutions. The Dutch Payments Association’s responsibilities lie in the areas of infrastructure, standards and shared product features. We seek to ensure a socially efficient, safe and reliable payment system, with room for innovation.


IN GENERAL

The Dutch Payments Association welcomes the opportunity to comment on the Draft Guidelines suggested by EBA on the criteria on how to stipulate the minimum amount of the professional indemnity insurance (PII) or other comparable guarantee for payment initiation service providers (PISPs) and account information service providers (AISPs), as mandated under Article 5(4) of PSD2. We appreciate and support EBA’s efforts to develop these Draft Guidelines.

Due to the legal nature of Guidelines set by EBA (as described in Regulation (EU) No 1093/2010), national competent authorities (CAs) must notify EBA as to whether they comply or intend to comply with these guidelines, or otherwise with reasons for non-compliance. This gives CAs a certain flexibility to take a different approach on determining the minimum monetary amount of the PII or other comparable guarantee under PSD2. This could imply that CAs authorities of some EU Member States will choose not to apply these Guidelines into their national supervisory frameworks. This could lead to an unlevel playing field between EU Member States, whereby PISPs and AISPs choose to establish themselves (and apply for authorization (PISPs) or registration (AISPs)) in that EU Member State where the least stringent requirements apply with regards to the PII or other comparable guarantee under Article 5(4) of PSD2. It would have given us more comfort-feeling if Article 5(4) of PSD2 would have mandated EBA to develop - more legally binding - Regulatory Technical Standards (RTS) instead. In order for a pan-EU harmonized supervisory regime, we recommend that all CAs will, if possible, apply these Guidelines into their national supervisory frameworks.


QUESTION 1

Yes, in principle we agree with this requirement. However, the provision of new types of payment services (such as PIS and AIS) is expected to grow rapidly as soon as the PSD2 and the EBA RTS have been implemented in the European Union. When a PISP or AISP enjoys a strong growth in business, a risk could arise that its PII or comparable guarantee becomes (much) too low within that 12-month period. When this PISP or AISP is held liable for payments that were initiated/processed erroneously, or when unauthorized or fraudulent access to (or use of) payment account information occurred, it should be able to cover for its legal and other costs and expenses arising from its liabilities – with regards to its actual (up-to-date) business volumes. If this is not the case, it could cause consumers’ detriment which may lead to significant negative impact in societal trust in electronic payments. A close monitoring of its business volume is therefore crucial.

We would like to emphasize the importance that in case of strong growth of a PISP’s or AISP’s business, CA’s will, have to require that the PISP or AISP reviews and re-calculates the minimum monetary amount of its PII or comparable guarantee, more often than once a year, but, for example on a quarterly basis. We therefore propose to include an obligation in Guideline 9 that if the number and/or total value of initiated payment transactions (for a PISP) and/or the number of information requests made at AS PSPs (for an AISP) exceeds a certain growth percentage (for example ≥ 10 percent per quarter), CA’s are obliged to require undertakings (PISPs and AISPs) to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee on a quarterly basis. This would implicate that a PISP or AISP should be able to adjust the minimal monetary amount of its PII or comparable guarantee on a quarterly basis, which should be allowed for in the contract’s terms and conditions as agreed with its insurance company or bank.

Taking the above into consideration, we propose to amend Guideline 9 as follows: “When granting the authorisation and/or registration to the undertakings, competent authorities should stipulate that the undertakings review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on a quarterly basis if the activity increases by more than [for example 10]% in a quarter. Competent authorities shall closely monitor the activity of the authorised and/or supervised entity”.

NB 1: We noted that Question 1 in paragraph 5.2 on page 41 of EBA’s Consultation Paper (CP) refers to Guideline 8 by mistake (it should refer to Guideline 9).
NB 2: To improve the readability of the definitions as stated in paragraph 13 of the Draft Guidelines (page 26 of EBA’s CP), we suggest to insert the definitions in a table with visible lines.
We assume the proposed formula is efficient and transparent in use, also for parties who have not yet applied for registration (future AISPs) or authorization (future PISPs). The formula seems to capture the most basic and relevant elements regarding the risk profile and type and size of activity of in a quite balanced way. We also support EBA’s pragmatic approach to align the formula with methods used as set out in PSD2 for the calculation of the own funds-requirements, based on an additive cluster method (option 2.2).

However, in the formula as proposed the lowest possible minimum monetary amounts of the PII or comparable guarantee (based on the ‘lowest tiers’ or default values) is a mere € 150,000 (= 0 + 0 + 50.000 + 50.000 (risk profile criterion) + 0 (activity criterion) + 50.000 (size of activity criterion)) for a PISP and € 100.000 (= 0 + 0 + 50.000 (risk profile criterion) + 0 (activity criterion) + 50.000 (size of activity criterion)) for an AISP. In our view these amounts are much too little. To illustrate this, in the Netherlands a regular business liability insurance for a self-employed lawyer or consultant has a coverage of € 2.5 million(!). It is not yet clear yet how the market for PIS and AIS will develop over the coming years, but we believe PISPs and/or AISPs should hold solid PIIs or comparable guarantees to enable them, when necessary, to meet their liabilities in relation to their activities.

Please note that ‘Example 1’ as elaborated in article 80 and 81 of paragraph 3.2.8 (page 19 and 20 of EBA’s CP) seems to contain a mistake in calculating the value of the ‘type of activity criterion’. Example 1 describes that the new company “(…) does not offer any other services than PIS (…).”. According to article 6.1 of the proposed Guideline 6, the value for this indicator in the formula should be set to “0” “(…) for those undertakings that apply for authorisation to provide only PIS.” Therefore our assumption is that the value of “50.000” as shown in the example formula in article 81 (page 20 of EBA’s CP) for this indicator is not correct. We therefore believe that the minimum monetary amount of PII or comparable guarantee per calendar year covering all claims resulting from PIS activities in Example 1 should be subsequently set on EUR 666,500 instead of EUR 716,500.

In ‘Example 2’, as shown in article 82 to 84 of paragraph 3.2.8 (Example how to apply the formula), we also noted a possible mistake in the application of the formula to calculate the minimum monetary amount of PII or comparable guarantee per calendar year covering all claims resulting from both PIS and AIS activities. In the application of the formula to calculate the minimum monetary amount of PII or comparable guarantee per calendar year covering all claims resulting from PIS activities, the sum of the indicator values of the ‘risk profile’ criterion is “€ 223,215” (0 + 50,000 + 56,515 + 116,500). The value of the ‘type of activity’ criterion is set at “0” (n/a) and the ‘size of activity’ criterion at “325,000”. This sums up to a total minimum monetary amount (regarding the PIS activities) of € 548,015 and not € 588,015 as article 83 (page 20 of EBA’s CP) displays. If our assumption regarding the application of the first sub-formula for Example 2 are correct, article 84 (page 21 of EBA’s CP) would need to be rephrased into: “84. Considering the fact that the undertaking already holds a comparable guarantee worth EUR 200,000, the undertaking should either increase the value of comparable guarantee to reach EUR 1,301,030 [and not 1,341,030] as calculated, or take out the PII cover of at least the level calculated; i.e. EUR 1,301,030 [and not 1,341,030].”

We strongly recommend EBA to provide for clarity regarding its (possible) mistakes in applying the formula in Example 1 and 2.
The proposed indicators under the ‘risk profile’ criterion are the:
• Value of indemnity claims received in the last 12 calendar months;
• Geographical location of the undertaking;
• Number of contracts in the last 12 calendar months with the undertaking applying for authorization to provide PIS ;
• Number of initiated payment transactions in the last 12 calendar months by undertakings applying for authorization to provide PIS;
• Number of different payment accounts accessed in the last 12 calendar months by undertakings applying for registration to provide AIS.

The proposed indicators under the ‘size of activity’ criterion (see also question 5) are the:
• Total value of transactions initiated by the PISP in the last 12 calendar months;
• Number of clients that made use of the AIS in the last 12 calendar months.

We believe that the EBA’s choice to categorize the indicators mentioned at the third, fourth and fifth bullet under the ‘risk profile’ criterion is an arbitrary one. It seems more logical to us to categorize these indicators under ‘size of the activity’, together with the indicators of ‘total value of transactions initiated by the PISP’ and ‘number of clients that made use of the AIS’, which are already indicators of the ‘size of the activity’ criterion.

It seems a wise decision of EBA to take into account the value of indemnity claims received by the PISP or AISP in the previous 12 calendar months when calculating the ‘risk profile’ criterion of the PISP concerned. However, we believe that the Guidelines need to be more clear about what exactly constitutes a “claim” in this context. To us it seems logical that actually all claims received in the previous 12 calendar months are included in calculating the ‘value of indemnity claims received’; also those (potential) claims which the PISP has already refunded to the ASPSP(s) and/or payment service user(s) out of courtesy. This to ensure that all indemnity claims of the previous 12 calendar months are included in the calculation, and that this calculation is not dependent of the courtesy policy of the PISP or AISP.

As regard to the proposed ‘lowest tiers’ (or default values) for the ‘risk profile’ criterion indicators, it seems to us quite arbitrary to set these on € 50.000 each. We are of the opinion that national CAs will need to be very critical when undertakings which apply for authorization (PIS) or registration (AIS) claim they are not able to make any business forecasts in relation to article 5.5, 5.11, 5.14 and/ or 5.17 (page 31 - 34 of EBA’s CP). We believe this is necessary to avoid that future PISPs and AISPs are ‘encouraged’ to misuse the lowest tier-rule of the proposed Guidelines by stating too easy that they are not able to make any business forecasts. To (partly) mitigate this risk, we recommend that when future PISPs and AISPs indicate they are not able to make any business forecasts, EBA includes an obligation in its Guidelines indicating that CAs will require that those PISPs or AISPs will have to review and re-calculate the minimum monetary amount of their PIIs or comparable guarantees more often than once a year, but, for example on a quarterly basis. Such an requirement could be added to Guideline 9. This implicates that such PISPs and AISPs should be able to adjust the minimal monetary amount of their PIIs or comparable guarantees on a quarterly basis, which should be allowed for in the contract’s terms and conditions as agreed with its insurance company or bank.

Furthermore, specifically regarding article 5.6 (page 31 of EBA’s CP) the ‘default value’ of € 50.000 occurs too generic to us. It does not take into account the type and/ or size of the PISP’s or AISP’s activities performed outside the EU. We note that PISPs and AISPs who offer their services both inside as well as outside the European Union are, generally spoken, major players. We believe that a coverage of ‘only’ € 50,000 will in most cases not be proportionate.

One of the proposed indicators under the ‘risk profile’ criterion is the number of initiated payment transactions in the last 12 calendar months by undertakings applying for authorization to provide PIS (Guideline 5.12). We believe that it makes a difference whether the total value of initiated transactions is caused by, for example, 200.000 transactions of € 1,- each or 2 transactions of € 100.000,- each. When a PISP is held liable for 200.000 transactions of € 1,- each that were initiated erroneously, the loss per duped payment service user will be quite modest. However, if a PISP is held liable for 2 transactions of € 100.000,- each, then the impact for the duped payment service users will probably be much higher. However, in the way the value of the indicator of Guideline 5.12 is calculated, the higher the number of initiated payment transactions, the relative smaller (as compared to the total number of initiated payment transactions) this indicator’s value becomes. We believe that EBA should take this nuance in some way into account in its formula as proposed in Guideline 5.12.

NB: We also believe that it is more clear to rename the ‘risk profile’ criterion indicator ‘Geographical location of the undertaking’ into ‘Geographical provision of services by the undertaking’. This to better cover for this indicator’s content, which value mainly depends on whether the undertaking provides/ will provide its PIS and/ or AIS not only in one or more EU Member States, but also in one or more countries outside the EU.
Yes, we basically agree with the way the indicators under the ‘type of activity’ criterion should be calculated. We support the principle as described in article 6.3 of Guideline 6 (page 34 of EBA’s CP) that if an undertaking wants to provide both PIS and AIS the minimum monetary amount should be calculated separately for each service and are to be summed to get the minimum monetary amount of the PII or comparable guarantee.

As regard to proposed article 6.5 of Guideline 6 (page 34 of EBA’s CP), we believe it is quite arbitrary to set the default value on € 50.000 when the future PISP or AISP is also engaged in other business than providing payments services as referred to in Annex I of PSD2. To us it seems that the amount of € 50.000, regardless of the type and/ or size of the PISP’s or AISP’s other activities is too generic. We believe that the type (including their accompanying risks) of its other activities should be taken into account when calculating the ‘type of activity’ criterion.

Another question we have, is how to interpret “is also engaged” in article 6.5 of Guideline 6 (page 34 of EBA’s CP). For example, how should, in light of Article 6.5, be dealt with undertakings which separate their PIS – and/or AIS activities in a separate legal entity? Is this sufficient for that separate legal entity for not being 'engaged' in other business? Or should the parent - or holding company also be taken into account in this matter? We believe the latter should be the case, because the legal entity providing for PIS and/or AIS can be negatively impacted when, for example, another legal entity of the holding suffers financial difficulties.

Finally, we believe that PIIs or comparable guarantees should not be limited to PIS and AIS, but extended to PSPs that issue card for obtaining the availability of funds from the AS PSP (based on Article 65 ‘Confirmation on the availability of funds’ of PSD2). Once the answer received is “Yes”, these PSPs will issue direct debit requests for obtaining a transfer of funds.
As regard to the proposed ‘lowest tier’ for the ‘size of the activity’ criterion indicator in article 7.4 (page 36 of EBA’s CP), we believe it is quite arbitrary to set its value on € 50.000. This value appears too low to us. In the Netherlands a regular business liability insurance for a self-employed lawyer or consultant has a coverage of € 2.5 million(!).

Furthermore, we are of the opinion that national CAs will need to be very critical when undertakings which apply for authorization (PIS) or registration (AIS) claim they are not able to make any business forecasts in relation to article 7.4 (page 36 of EBA’s CP). We believe this is necessary to avoid that future PISPs and AISPs are ‘encouraged’ to misuse the lowest tier-rule of the proposed Guidelines by stating too easy that they are not able to make any business forecasts. To (partly) mitigate this risk, we recommend that when future PISPs and AISPs indicate they are not able to make any business forecasts, EBA includes an obligation in its Guidelines indicating that CAs will require that those PISPs or AISPs will have to review and re-calculate the minimum monetary amount of their PIIs or comparable guarantees more often than once a year, but, for example on a quarterly basis. Such an requirement could be added to Guideline 9. This implicates that such PISPs and AISPs should be able to adjust the minimal monetary amount of their PIIs or comparable guarantees on a quarterly basis, which should be allowed for in the contract’s terms and conditions as agreed with its insurance company or bank.
Other criteria and/or indicators that EBA could consider is the potential (fraud) risk of the (technical) method(s) used to initiate payment transactions (PISPs) or retrieving payment account- related information (AISPs) from AS PSPs. For example, the risk has become higher when it appears that a certain applied technical method has been successfully hacked by cybercriminals. All PISPs, AISPs and AS PSPs will have to adhere to the future RTS on strong customer authentication and common secure communication. But these future RTS are not expected to prescribe which technical solutions should be used in this matter.

We recommend EBA that PIIs or comparable guarantees should not be limited to PIS and AIS, but extended to PSPs that issue card for obtaining the availability of funds from the AS PSP (based on Article 65 ‘Confirmation on the availability of funds’ of PSD2). Once the answer received is “Yes”, these PSPs will issue direct debit requests for obtaining a transfer of funds.

Finally, we recommend EBA to explicitly mention how the indicators based on numbers* are transformed from numbers into amounts (euros).


* These indicators are: The number of contracts in the last 12 calendar months with the undertaking applying for authorization to provide PIS (Guideline 5.9), the number of initiated payment transactions in the last 12 calendar months by undertakings applying for authorization to provide PIS (Guideline 5.12), the number of different payment accounts accessed in the last 12 calendar months by undertakings applying for registration to provide AIS (Guideline 5.15), and the number of clients that made use of the AIS in the last 12 calendar months (Guideline 7.2).
We have several other comments and suggestions that the EBA should consider regarding the proposed Guidelines, which we will explain below:

No reference to legal requirements applying to providers of PIIs and/or comparable guarantees:
We emphasize the importance of determining a realistic minimum monetary amount of the PII or comparable guarantee. We also believe that the Guidelines should pay attention to providers of PIIs and comparable guarantees. We recommend EBA to refer in its Guidelines to the (legal) requirements and/or relevant EU-legislation to which these companies have to comply, and that should be under supervision of the relevant national CAs.

Duration of PII or comparable guarantee:
It is common for PIIs and comparable guarantees that the coverage for damage continues for a certain amount of time after the insurance holder (PISP or AISP) has ended its PIS- and/or AIS-related activities. After all, PSD2 * (and PSD1) states that a payment services user has a total of 13 months to report an unauthorized transaction to its PSP. As a general policy principle, any PII or comparable guarantee must therefore still be valid at least 13 months after its last payment initiation or account information request.

Furthermore, we assume that the holder of the PII or comparable guarantee (PISP or AISP) will submit its claims received to the supplier of the PII or comparable guarantee. However, especially relevant when a PISP or AISP would face financial difficulties, for example in case of impending bankruptcy, it should still be able to forward the reimbursed claim amount(s) to the duped AS PSP(s) and/ or payment services user(s).

* Article 71 (1) of PSD2, and in case of unauthorised or incorrectly executed transaction, payment service users must notify “without undue delay on becoming aware of any such transaction giving rise to a claim, including that under article 89, and no later than 13 months after the debit date”.

Ensure that PII or comparable guarantee is valid:
The proposed Guidelines do not address any measures to ensure that the holder of the PII or comparable guarantee (PISP or AISP) actually pays the concerned fees in time and does not prematurely terminate the PII or guarantee, since this negatively effects its coverage. We suggest that, next to the holder (the PISP or AISP), the supplier should confirm (for example via a statement/ certificate/ policy) to the relevant CA the PII or comparable guarantee is indeed valid.

Possible damage will need to be recovered, when it proves to be justified, even when the holder of the PII or comparable guarantee (PISP or AISP) has ceased to exist. For payment services users as well as for ASPSPs it therefore should be clear who the supplier of the PII or comparable guarantee is. We recommend EBA to provide clearance on requirements in this matter in its final Guidelines.

Furthermore, the PII or comparable guarantee should provide coverage against liability as mentioned in Articles 73, 89 and 92 of PSD2. However, the impact of these articles is not fully known yet. Therefore, the question arises whether providers of PIIs or comparable guarantees will impose restrictions and/or exclusions in their terms and conditions, which could lead to situations in which a PISP or AISP is not able to appeal to its PII - or comparable guarantee supplier. This could, for example, be the case when the supplier has excluded 'gross negligence' in the terms and conditions of the PII or comparable guarantee. We recommend EBA to take this into consideration when drafting its final Guidelines.

More information needed on requirements of a comparable guarantee:
Article 5 (4) of PSD2 mandates EBA to issue guidelines on the criteria on how to stipulate the minimum monetary amount of the other comparable guarantee. Article 5 (4d) of PSD2 specifies that EBA hereby shall take account “the specific characteristics of comparable guarantees and the criteria for their implementation”. However, the proposed Guidelines do not seem to be clear which characteristics a comparable guarantee should have to be adequate. Therefore, we recommend EBA to add more information in its final Guidelines on the following matters:
• Which parties can/ should be able to provide the comparable guarantee? For example, can a parent - or holding company provide for a comparable guarantee in this matter?
• Is the provider obliged to safeguard the amount of the comparable guarantee? For example to place the covered amount on a separate account, fenced-off from its daily business activities?
• Should a PII with a monetary amount of, for example, € 1 million be assessed by the CAs as being the same as compared to a bank guarantee with the same monetary amount (€ 1 million)? For example as regards of the probability that a provider of PII or comparable guarantee will actually cover (pay) for the damage occurred.

Explicitly state to which party a provider of a PII and comparable guarantee should pay out:
We assume that the PII should cover for the obligation of the PISP/ AISP to reimburse the duped ASPSP as well as that the ASPSP should be the beneficiary of the comparable guarantee. This because the ASPSP is obliged to refund the amount of the unauthorized payment transaction to the payer immediately, and in any event no later than by the end of the next business day (Article 73 of PSD2). If the PISP is liable for the unauthorised payment transaction, it shall immediately compensate the ASPSP at its request for the losses incurred or sums paid as a result of the refund to the payer, including the amount of the unauthorised payment transaction. The PII or comparable guarantee of the PISP/ AISP would have to cover for the refund obligation towards the ASPSP. As for the ‘comparable guarantee’, we therefore assume that the ASPSP would have to be the beneficiary of that guarantee. We advice EBA to provide clarity on these matters in its final Draft Guidelines.

Reasons why combining a PII and comparable guarantee is not allowed:
Guideline 8 (page 36 of EBA’s CP) states that CAs should require the undertakings to hold either the PII, or a comparable guarantee. Article 76 of paragraph 3.2.7 (page 19 of EBA’s CP) states: “Given that the PSD2 does not specify any other link between the PII and comparable guarantee, the EBA concludes that an undertaking can either hold the PII, or comparable guarantee, and that it cannot hold both of them at the same time.”. We recommend EBA to provide for a rationale in its final Guidelines why a combination of a PII and comparable guarantee is not be allowed, when they together sum-up to the required minimum amount to cover for the potential liabilities of PISPs and AISPs in accordance with PSD2.

Consult with providers of PIIs and comparable guarantees:
Finally, we recommend EBA to consult providers (and specialists) of PIIs and comparable guarantees regarding their view of the feasibility and practical use of the Guidelines proposed, as well of the calculation method including the lowest-tier (default) monetary amounts.
[Other "]"
[Other"]"
Marc van der Maarel
B