FDATA considers the objectives to be plausible and almost complete. Our key concern, though, is to ensure that smaller applicants providing narrower services are not subject to the same requirements as large multi-state applicants with broad services. An adjustable, tiered system would be preferable to facilitate this.
FDATA has no objections to these chosen options. However, we would ask you to clarify the process for an applicant with multiple lines of business.
FDATA does consider this helpful and has no specific objection. In general terms, however, we would ask the EBA to constantly assess whether barriers to entry are too high and may stifle innovation. Would the EBA consider an exemption for some applicants under defined conditions?
Please treat this answer as a catch-all for questions 4, 5 and 6.
Again, FDATA’s key concern here is the potential stifling of innovation which would result from barriers to entry for early-stage applicants. In this respect, the requirements around business plans, marketing and forecasting seem overly onerous.
Secondly, some of the information required appears too granular and technical in nature and lacks focus on the more important issue of the quality of an applicant’s information security management system.
Furthermore, for applicants with dynamic, cloud-based systems, some of the information requested is likely to change on a regular basis. We would ask the EBA to clarify whether notification of every change would be required.
In all these cases, it is possible to be more selective in the information required and still ensure that the approval process ensures only well-qualified applicants.
Finally, we would ask the EBA to clarify why ISO27001 has not been recommended as a standard to apply, having been mentioned in the Regulatory Technical Standards and recommended by the UK’s Open Banking Standard. Adoption of this would reduce the workload on competent authorities.
See answer 4.
See answer 4.
FDATA would recommend an addition. We would ask the EBA to explicitly state how long an incomplete application can wait before it is invalidated, after which a new application will be required.