Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
However, as a general comment, the level of information that are required in the guideline is, to our opinion, set out in too great detail. Despite the proportionality, this will likely cause problems and heavy workload in assessing the files by the NCA but also in maintaining the information up to date for the NCA.
We consider that the current EBA “Draft Guidelines on the information to be provided for the authorization as payment institutions and e-money institutions and for the registration as account information service providers” does not meet the objective of providing a fast process to grant approval.
We are also missing clarification on what will be required to entities that are already registered as PI or EMI. We require that an existing PI should not be forced to provide the full set of verifications as some have already been provided to the authorities over the last 5 years. A statement to the authority confirming that nothing has fundamentally changed should maybe be sufficient. Our opinion is that only if a new service like PIS (or AIS) is added to existing PI / EMI services, then the review should be limited to a review of the specific technical aspects related to that new services offering.
This is particularly true if one bears in mind that according to the EBA hearing statements, the Guidelines must cover – due to the maximum harmonization approach of the PSD2 – all kinds of payment institutions, including very big institutions and those with very complex and risky business models.
We are in favor of seeing applications of small service provider follow the same process as the other big or medium service provider applicants. Especially for new services like PIS, we consider that the trust element in the PIS services needs to be established towards consumers. We are convinced that this is a key element for the development of new services around PIS and that it will provide a level playing field once the small service provider / company will progressively grow its business.
- An authorization process for PI (service 1 to 8, including PIS)
- A registration process for AIS
- An authorization process for EMI
The proposed draft will have as consequences a time-consuming procedure with regard to the application preparation and heavy work load:
- for applicants
- for the NCA and the competent supervisory authorities’ officers, leading to long delay in the license granting process (which is already between 9 to 12 months is some countries)
- in the way the NCA is going to be notified of any changes to the initial conditions of the agreement.
To reach the PSD2 objective of a full harmonization across EU, we believe that EBA should provide the list of the main information required, but in a much less detailed way. The NCA should get the freedom to assess the level of details required to form its own opinion on the company application.
To our opinion, this would limit the risk to see all the NCA move towards a “tick the box” regulatory process (as we already see in some countries).
This would also limit the costs of maintaining the PI/AIS/EMI agreement which significantly vary today from country to country (and resources of the NCA).
Reducing the detailed list to the main concepts would also allow applying the same requested level of information to small payment institutions or to payment institutions assumed to be with low-risk business model.
This will allow reaching a level playing field across geography and a maximum harmonization objective.
CH 4.1 - Guidelines
1. General principles
OK
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e, f, g, j
NOK
2.1 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI?
Could you clarify what you have in mind?
2.1 h, i are not necessary
3. Program of operations
OK
3.1 a, b, c i), d, f, g, h, i
NOK
3.1 c ii) this is redundant with c i)
3.1 c iii) are, to our opinion, far too detailed and unreasonable request
3.1 c iv) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 c vi) “processing time”. We believe that this information is very complex to provide.
It does not give more information on the risk aspect than the settlement information.
3.1 e) seems to us very difficult to accomplish considering the number of parties involved and the trends towards cloud-based solutions / online based solutions
4. Business plan
OK
4.1 b, d,
NOK
For 4.1 c we believe the sub bullet i), ii) and iii) precisions are not necessary.
For 4.1 e we believe the sub bullets request too much details: i) and ii) we do not see the need to provide monthly projection of the own funds.
5. Structural organization
OK
5.1 a,
5.1 b, Global Staffing estimated FTE are OK for us, but the forecast per divisions seems too detailed
5.1 f
NOK
5.1 c and d, we believe that this description should only be limited to Key Outsourcing activities, not all.
5.1 c) ii We believe that a personalized approach (by giving a specific person as a responsible/contact person) is not helpful. That person could leave the company. A departmental approach seems more reasonable
5.1 e i) “a mapping of the “on site” and “off site” checked on the branches / agent and frequency”.
5.1 e ii) “IT systems, processes and infrastructure used by applicant’s agent to perform activity”
5.1 e iii) “agent main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 e) on agent are too large and that these details should be removed
5.1 g could you clarify “close link” as this is unclear. This point should be removed from this guideline, as it is already covered in Guideline 15 / 16
6. Evidence of initial capital
OK
6.1 a
7. Measures to safeguard the funds of payment service users (applicable to payment services 1-6 only)
OK
7.1 a, b, c,
7.2 a, b, c, d
NOK
7.1 d “copy of a draft contract with credit institution, including explicit declaration … with article 10 of PSD2”. This is going too far and is not mentioned in article 10.
Who will do/issue this explicit declaration of compliance?
We believe that this 7.1 d) should be removed
8. Governance arrangements and internal control mechanisms
OK
8.1 a, c, d, e, f
NOK
8.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
8.1 g, h are available in the outsourcing and agent contract. Covered in 5.1?
8.1 i this is requesting too detailed information
8.1 j this is requesting too many details to assess the risk perimeter of the PI.
9. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
9.1 a Ok on the principle, not on names of individuals
9.1 b
9.1 c
9.1 d
NOK
9.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
We would advise to remove the reference to individuals (that can change over time) from the EBA guidelines.
10. Process to file, monitor, track and restrict access to sensitive payment data
OK
10.1 a, b, d,
10.1 g, I, j
NOK
10.1 c) could you clarify what monitoring tool you have in mind?
10.1 e, f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far.
10.1 h) list of individuals seems going in too much details and should be removed
11. Business continuity arrangements
OK
11.1 a, b, c, d
NOK
11.1 e) this is requesting too many details.
This should be requested only to systemic actors.
This is an unreasonable requirement.
12. The principles & definitions applicable to the collection of statistical data on performance, transactions & fraud
OK
12.1 a, h, i
NOK
12.1 b, c, d, e, f, g there is no need to request so many details to assess the frauds and the type of statistics collected
13. Security policy document
OK
13.1 a, b, c
13.1 e, f, g
NOK
13.1 d seems far too detailed to be part of the PI application process
13.1 I) and j) points are redundant with the rest of information already requested in g?
14. Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations)
OK
14.1 a, b, c, d, f, g, h
NOK
14.1 e) again the notion of a responsible individual should be replaced with a role (i.e. an AML officer)
15. Identity and suitability assessment of persons with qualified holdings in the applicant
OK
15.1 a, b, c
15.2 a, b, c, d, e, f, g, h, I, j
15.3 a, b, c, d, e, f, g, h, I, j, k, l, m, n, o, p, q, …, t
15.4 a, …, f
15.5 a, …, f
15.6 a, b
NOK
Could you define “qualified holdings”?
16. Identity and suitability assessment of directors and persons responsible for the management of the payment institution
OK
16.1 a, b, c, d, e,
17. Identity of statutory auditors and audit firms
OK
17.1 a, b
18. Services and account information services
OK
18.1 a, b.
NOK
Could you clarify that the PII is mandatory for a company that is already a PI and that is willing to offer PIS or AIS service.
And this even if the company is largely meeting the minimum own fund obligations?
CH 4.2 - Guidelines
1. General principles
Ok
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e
2.2 a, b, c, d, e, f, g, j
NOK
2.2 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI? Could you clarify what you have in mind?
2.2 h, i are not necessary
3. Program of operations
OK
3.1 a, b, c iii), d, f, g, h
NOK
3.1 c i) are, to our opinion, far too detailed for the application.
3.1 c ii) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 c iv) “processing time”. We believe that this information is very complex to provide.
It does not give full information regarding the Bank return of information.
3.1.e) seems very difficult to accomplish considering cloud-based solutions for online-based solutions
4. Business plan
OK
4.1 a “marketing plan” Note that this should be limited to the main financial area of operation
4.1 b, d
NOK
For 4.1 c, we believe the sub bullet i), ii) and iii) precisions are not necessary.
5. Structural organization
OK
5.1 a), “ forecast of staff 3 Years ”
Global Staffing estimated FTE, no forecast per divisions
5.1 e
NOK
5.1 b and c, we believe that this description should be limited only to Key Outsourcing activities, not all.
We do not believe that a personalized approach (by giving a specific person as a responsible/contact person) is helpful. The person could leave the company. A departmental approach seems more reasonable.
5.1 d i) “a mapping of the “on site” and “off-site” checked on the branches / agent and frequency”.
5.1 d ii) “IT systems, processes and infrastructure used by applicant’s agent to perform activity”
5.1 d iii) “agent main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 d) on agent are too large and that these details should be removed
5.1 f could you clarify “close link” as this is unclear. This point should be removed from this guideline.
6. Governance arrangements and internal control mechanisms
OK
6.1 a, c, d, e, f, g, h, i
NOK
6.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
6.1 j this is requesting a too detailed information (next 3 years program)
6.1 k this is requesting too many details to assess the risk perimeter of the AIS.
7. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
7.1 a) Ok on the principle, but not on names of individuals
7.1 b
7.1 c
7.1 d
NOK
7.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
Would recommend to remove reference to individuals, as individuals can change over time.
8. Process to file, monitor, track and restrict access to sensitive payment data
OK
8.1 a, b, d,
8.1 g, I, j
NOK
8.1 c) could you clarify what “monitoring tool” you have in mind to access sensitive data?
Is it access right and log file?
8.1 e, f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far in the information requested.
8.1 h) list of individuals seems going in too many details to assess the AIS application
9. Business continuity arrangements
OK
9.1 a, b, c, d
NOK
9.1 e) this is requesting too many details to assess the application of an AIS. This should be requested only to systemic actors
10. Security policy document
OK
10.1 a, b, c
10.1 e, f, g
NOK
10.1 d) seems far too detailed to be part of the AIS application process and redundant with e), g)
10.1 I) and j) points which are redundant requests with the rest of the information already requested in g)?
We believe that this principle 10 should be simplified, as it is very sensitive information.
11. Identity and suitability assessment of directors and persons responsible for the management of AISP
OK
11.1 a, b, c, d, e,
12. Professional indemnity insurance or comparable guarantee
OK
12.1 a, b.
CH 4.3 - Guidelines
1. General principles
OK
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e, f, g, j
NOK
2.1 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI? Could you clarify what you have in mind?
2.1 h, i are not necessary to assess EMI application
3. Program of operations
OK
3.1 a, b, c , d, e i) ii), f, g, h, I, j, k, l
NOK
3.1 e ii) seems redundant to i)
3.1 e iii) is unreasonable
3.1 e iv) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 e vi) “processing time”. We believe that this information is very complex to provide.
4. Business plan
OK
4.1 a “marketing plan” Note that this should be limited to the main financial area of operation
4.1 b, d
4.1 e
NOK
For 4.1 c, we believe the sub bullet i), ii) and iii) precisions are not necessary.
5. Structural organization
OK
5.1 a,
5.1 b, “ forecast of staff 3 Years ”
Global Staffing estimated FTE, no forecast per divisions
5.1 f
NOK
5.1 c, we believe that this description “outsourcing arrangement” should be limited only to Key Outsourcing activities, not all outsourcing.
5.1 c) ii we do not believe that a personalized approach (by giving a specific person as a responsible/contact person) is helpful. That person could leave the company. A departmental approach seems more reasonable.
5.1 d, limited to critical outsourcing
5.1 e i) “a mapping of the “on site” and “off site” checked on the branches / agent and distributors”.
5.1 e ii) “IT systems, processes and infrastructure used by applicant’s agent and distributors to perform activity”
5.1 e iii) “agent and distributor the main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 e) on agent are too large and that these details should be removed.
5.1 g could you clarify “close link” as this is unclear. This point should be removed from this guideline
6. Evidence of initial capital
OK
6.1 a, b
7. Measures to safeguard the funds of payment service users (applicable to payment services 1-6 only)
OK
7.1 a, b, c,
7.2 a, b, c, d
NOK
7.1 d “copy of a draft contract with credit institution, including explicit declaration … with article 10 of PSD2”. This is going too far and is not mentioned in article 10.
Who will do/issue this explicit declaration of compliance?
This should be removed
8. Governance arrangements and internal control mechanisms
OK
8.1 a, c, d, e, f
NOK
8.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
8.1 h are available in the outsourcing and agent contract. Covered in 5.1 d)?
8.1 i this is requesting a too detailed information
8.1 j this is requesting too many details to assess the risk perimeter of the EMI application.
9. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
9.1 a Ok on the principle, not on names of individuals
9.1 b
9.1 c
9.1 d
NOK
9.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
Would remove individuals, individuals can change over time
10. Process to file, monitor, track and restrict access to sensitive payment data
OK
10.1 a, b, d,
10.1 g, I, j
NOK
10.1 c) could you clarify what monitoring tool you have in mind?
10.1 f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far.
10.1 h) list of individuals seems going in too many details
11. Business continuity arrangements
OK
11.1 a, b, c, d, e
12. The principles & definitions applicable to the collection of statistical data on performance, transactions & fraud
OK
12.1 a, h, i
NOK
12.1 b, c, d, e, f, g there is no need to request so many details to assess the frauds and the type of statistics collected
13. Security policy document
OK
13.1 a, b, c
13.1 e, f, g
NOK
13.1 d seems far too detailed to be part of the EMI application process
13.1 I) and j) points are redundant request with the rest of information already requested in g?
14. Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations)
OK
14.1 a, b, c, d, e, f, g, h
NOK
14.1 e) again the notion of a responsible individual should be replaced with a role (i.e. an AML officer)
15. Identity and suitability assessment of persons with qualified holdings in the applicant
OK
15.1 a, b, c
15.2 a, b, c, d, e, f, g, h, I, j
15.3 a, b, c, d, e, f, g, h, I, j, k, l, m, n, o, p, q, …, t
15.4 a, …, f
15.5 a, …, f
15.6 a, b
NOK
Define “qualified holdings”?
16. Identity and suitability assessment of directors and persons responsible for the management of the payment institution
OK
16.1 a, b, c, d, e,
17. Identity of statutory auditors and audit firms
OK
17.1 a, b
18 services and account information services
OK
18.1 a, b.
NOK
Could you clarify that the PII is mandatory for a company that is already a EMI and willing to offer PIS or AIS service.
And this even if the company is largely meeting the minimum own fund obligations?
As a consequence:
1) There is a risk to see applications approval for PI, EMI and new PIS / AIS provider be very long, costly and leading to a risk to see such new AIS / PIS services first developed outside Europe.
2) The point 1.5 on page 76 “required for update of application information”, considering the quantity of information to be provided, will lead to very regular updates of information towards NCA. Imposing a significant cost of compliance to the sector.
We would advise EBA to assess/compare the detailed list of the documents requested to Insurance, Credit institutions and PI/EMI to have a real understanding of the mandatory documentation to be provided.
The current draft also needs to clarify what will be the process for companies that are already registered as PI or EMI, what is the information that will be requested to expand their licenses?
Are they supposed to deliver a complete new application?
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
Yes, in general, Worldline agrees on the objectives of the guidelines.However, as a general comment, the level of information that are required in the guideline is, to our opinion, set out in too great detail. Despite the proportionality, this will likely cause problems and heavy workload in assessing the files by the NCA but also in maintaining the information up to date for the NCA.
We consider that the current EBA “Draft Guidelines on the information to be provided for the authorization as payment institutions and e-money institutions and for the registration as account information service providers” does not meet the objective of providing a fast process to grant approval.
We are also missing clarification on what will be required to entities that are already registered as PI or EMI. We require that an existing PI should not be forced to provide the full set of verifications as some have already been provided to the authorities over the last 5 years. A statement to the authority confirming that nothing has fundamentally changed should maybe be sufficient. Our opinion is that only if a new service like PIS (or AIS) is added to existing PI / EMI services, then the review should be limited to a review of the specific technical aspects related to that new services offering.
This is particularly true if one bears in mind that according to the EBA hearing statements, the Guidelines must cover – due to the maximum harmonization approach of the PSD2 – all kinds of payment institutions, including very big institutions and those with very complex and risky business models.
We are in favor of seeing applications of small service provider follow the same process as the other big or medium service provider applicants. Especially for new services like PIS, we consider that the trust element in the PIS services needs to be established towards consumers. We are convinced that this is a key element for the development of new services around PIS and that it will provide a level playing field once the small service provider / company will progressively grow its business.
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
Yes on the principle, we agree on the three-part structure of the guideline, being the following structure- An authorization process for PI (service 1 to 8, including PIS)
- A registration process for AIS
- An authorization process for EMI
Question 3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
The EBA’s draft guidelines require a huge set of very detailed requirements. The list of the very precise documentations required will lead to a very heavy authorizations process. We think that on some aspect the EBA is going beyond what is required in the PSD2 and we are asking ourselves if, in some topics, the requirements are not even higher than what is currently required to credit institution application.The proposed draft will have as consequences a time-consuming procedure with regard to the application preparation and heavy work load:
- for applicants
- for the NCA and the competent supervisory authorities’ officers, leading to long delay in the license granting process (which is already between 9 to 12 months is some countries)
- in the way the NCA is going to be notified of any changes to the initial conditions of the agreement.
To reach the PSD2 objective of a full harmonization across EU, we believe that EBA should provide the list of the main information required, but in a much less detailed way. The NCA should get the freedom to assess the level of details required to form its own opinion on the company application.
To our opinion, this would limit the risk to see all the NCA move towards a “tick the box” regulatory process (as we already see in some countries).
This would also limit the costs of maintaining the PI/AIS/EMI agreement which significantly vary today from country to country (and resources of the NCA).
Reducing the detailed list to the main concepts would also allow applying the same requested level of information to small payment institutions or to payment institutions assumed to be with low-risk business model.
This will allow reaching a level playing field across geography and a maximum harmonization objective.
Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
In the comments below, we have identified the detailed guidelines that, to our opinion, are not acceptable (NOK). But we remain in favor of seeing EBA establish main principles in place of detailed and precise documentations.CH 4.1 - Guidelines
1. General principles
OK
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e, f, g, j
NOK
2.1 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI?
Could you clarify what you have in mind?
2.1 h, i are not necessary
3. Program of operations
OK
3.1 a, b, c i), d, f, g, h, i
NOK
3.1 c ii) this is redundant with c i)
3.1 c iii) are, to our opinion, far too detailed and unreasonable request
3.1 c iv) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 c vi) “processing time”. We believe that this information is very complex to provide.
It does not give more information on the risk aspect than the settlement information.
3.1 e) seems to us very difficult to accomplish considering the number of parties involved and the trends towards cloud-based solutions / online based solutions
4. Business plan
OK
4.1 b, d,
NOK
For 4.1 c we believe the sub bullet i), ii) and iii) precisions are not necessary.
For 4.1 e we believe the sub bullets request too much details: i) and ii) we do not see the need to provide monthly projection of the own funds.
5. Structural organization
OK
5.1 a,
5.1 b, Global Staffing estimated FTE are OK for us, but the forecast per divisions seems too detailed
5.1 f
NOK
5.1 c and d, we believe that this description should only be limited to Key Outsourcing activities, not all.
5.1 c) ii We believe that a personalized approach (by giving a specific person as a responsible/contact person) is not helpful. That person could leave the company. A departmental approach seems more reasonable
5.1 e i) “a mapping of the “on site” and “off site” checked on the branches / agent and frequency”.
5.1 e ii) “IT systems, processes and infrastructure used by applicant’s agent to perform activity”
5.1 e iii) “agent main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 e) on agent are too large and that these details should be removed
5.1 g could you clarify “close link” as this is unclear. This point should be removed from this guideline, as it is already covered in Guideline 15 / 16
6. Evidence of initial capital
OK
6.1 a
7. Measures to safeguard the funds of payment service users (applicable to payment services 1-6 only)
OK
7.1 a, b, c,
7.2 a, b, c, d
NOK
7.1 d “copy of a draft contract with credit institution, including explicit declaration … with article 10 of PSD2”. This is going too far and is not mentioned in article 10.
Who will do/issue this explicit declaration of compliance?
We believe that this 7.1 d) should be removed
8. Governance arrangements and internal control mechanisms
OK
8.1 a, c, d, e, f
NOK
8.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
8.1 g, h are available in the outsourcing and agent contract. Covered in 5.1?
8.1 i this is requesting too detailed information
8.1 j this is requesting too many details to assess the risk perimeter of the PI.
9. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
9.1 a Ok on the principle, not on names of individuals
9.1 b
9.1 c
9.1 d
NOK
9.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
We would advise to remove the reference to individuals (that can change over time) from the EBA guidelines.
10. Process to file, monitor, track and restrict access to sensitive payment data
OK
10.1 a, b, d,
10.1 g, I, j
NOK
10.1 c) could you clarify what monitoring tool you have in mind?
10.1 e, f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far.
10.1 h) list of individuals seems going in too much details and should be removed
11. Business continuity arrangements
OK
11.1 a, b, c, d
NOK
11.1 e) this is requesting too many details.
This should be requested only to systemic actors.
This is an unreasonable requirement.
12. The principles & definitions applicable to the collection of statistical data on performance, transactions & fraud
OK
12.1 a, h, i
NOK
12.1 b, c, d, e, f, g there is no need to request so many details to assess the frauds and the type of statistics collected
13. Security policy document
OK
13.1 a, b, c
13.1 e, f, g
NOK
13.1 d seems far too detailed to be part of the PI application process
13.1 I) and j) points are redundant with the rest of information already requested in g?
14. Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations)
OK
14.1 a, b, c, d, f, g, h
NOK
14.1 e) again the notion of a responsible individual should be replaced with a role (i.e. an AML officer)
15. Identity and suitability assessment of persons with qualified holdings in the applicant
OK
15.1 a, b, c
15.2 a, b, c, d, e, f, g, h, I, j
15.3 a, b, c, d, e, f, g, h, I, j, k, l, m, n, o, p, q, …, t
15.4 a, …, f
15.5 a, …, f
15.6 a, b
NOK
Could you define “qualified holdings”?
16. Identity and suitability assessment of directors and persons responsible for the management of the payment institution
OK
16.1 a, b, c, d, e,
17. Identity of statutory auditors and audit firms
OK
17.1 a, b
18. Services and account information services
OK
18.1 a, b.
NOK
Could you clarify that the PII is mandatory for a company that is already a PI and that is willing to offer PIS or AIS service.
And this even if the company is largely meeting the minimum own fund obligations?
Question 5: Do you agree with the Guidelines on information required from applicants for registration for the provision of only service 8 of Annex I PSD2 (account information services), as set out in chapter 4.2? If not, please provide your reasoning.
In the comments below, we have identified the detailed guidelines that, to our opinion, are not acceptable (NOK). But we remain in favor of seeing EBA establish main principles in place of detailed and precise documentations.CH 4.2 - Guidelines
1. General principles
Ok
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e
2.2 a, b, c, d, e, f, g, j
NOK
2.2 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI? Could you clarify what you have in mind?
2.2 h, i are not necessary
3. Program of operations
OK
3.1 a, b, c iii), d, f, g, h
NOK
3.1 c i) are, to our opinion, far too detailed for the application.
3.1 c ii) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 c iv) “processing time”. We believe that this information is very complex to provide.
It does not give full information regarding the Bank return of information.
3.1.e) seems very difficult to accomplish considering cloud-based solutions for online-based solutions
4. Business plan
OK
4.1 a “marketing plan” Note that this should be limited to the main financial area of operation
4.1 b, d
NOK
For 4.1 c, we believe the sub bullet i), ii) and iii) precisions are not necessary.
5. Structural organization
OK
5.1 a), “ forecast of staff 3 Years ”
Global Staffing estimated FTE, no forecast per divisions
5.1 e
NOK
5.1 b and c, we believe that this description should be limited only to Key Outsourcing activities, not all.
We do not believe that a personalized approach (by giving a specific person as a responsible/contact person) is helpful. The person could leave the company. A departmental approach seems more reasonable.
5.1 d i) “a mapping of the “on site” and “off-site” checked on the branches / agent and frequency”.
5.1 d ii) “IT systems, processes and infrastructure used by applicant’s agent to perform activity”
5.1 d iii) “agent main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 d) on agent are too large and that these details should be removed
5.1 f could you clarify “close link” as this is unclear. This point should be removed from this guideline.
6. Governance arrangements and internal control mechanisms
OK
6.1 a, c, d, e, f, g, h, i
NOK
6.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
6.1 j this is requesting a too detailed information (next 3 years program)
6.1 k this is requesting too many details to assess the risk perimeter of the AIS.
7. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
7.1 a) Ok on the principle, but not on names of individuals
7.1 b
7.1 c
7.1 d
NOK
7.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
Would recommend to remove reference to individuals, as individuals can change over time.
8. Process to file, monitor, track and restrict access to sensitive payment data
OK
8.1 a, b, d,
8.1 g, I, j
NOK
8.1 c) could you clarify what “monitoring tool” you have in mind to access sensitive data?
Is it access right and log file?
8.1 e, f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far in the information requested.
8.1 h) list of individuals seems going in too many details to assess the AIS application
9. Business continuity arrangements
OK
9.1 a, b, c, d
NOK
9.1 e) this is requesting too many details to assess the application of an AIS. This should be requested only to systemic actors
10. Security policy document
OK
10.1 a, b, c
10.1 e, f, g
NOK
10.1 d) seems far too detailed to be part of the AIS application process and redundant with e), g)
10.1 I) and j) points which are redundant requests with the rest of the information already requested in g)?
We believe that this principle 10 should be simplified, as it is very sensitive information.
11. Identity and suitability assessment of directors and persons responsible for the management of AISP
OK
11.1 a, b, c, d, e,
12. Professional indemnity insurance or comparable guarantee
OK
12.1 a, b.
Question 6: Do you agree with the Guidelines on information requirements for applicants for authorisation as electronic money institutions, as set out in chapter 4.3? If not, please provide your reasoning.
In the comments below, we have identified the detailed guidelines that, to our opinion, are not acceptable (NOK). But we remain in favor of seeing EBA establish main principles in place of detailed and precise documentations.CH 4.3 - Guidelines
1. General principles
OK
1.1 to 1.5
2. Identification details
OK
2.1 a, b, c, d, e, f, g, j
NOK
2.1 h could you clarify what you mean by any other industry-specific regulatory body?
Do you mean PCI? Could you clarify what you have in mind?
2.1 h, i are not necessary to assess EMI application
3. Program of operations
OK
3.1 a, b, c , d, e i) ii), f, g, h, I, j, k, l
NOK
3.1 e ii) seems redundant to i)
3.1 e iii) is unreasonable
3.1 e iv) “… different ways through which these services are provided” is unclear; do you mean sales channel, technical interface, protocol?
3.1 e vi) “processing time”. We believe that this information is very complex to provide.
4. Business plan
OK
4.1 a “marketing plan” Note that this should be limited to the main financial area of operation
4.1 b, d
4.1 e
NOK
For 4.1 c, we believe the sub bullet i), ii) and iii) precisions are not necessary.
5. Structural organization
OK
5.1 a,
5.1 b, “ forecast of staff 3 Years ”
Global Staffing estimated FTE, no forecast per divisions
5.1 f
NOK
5.1 c, we believe that this description “outsourcing arrangement” should be limited only to Key Outsourcing activities, not all outsourcing.
5.1 c) ii we do not believe that a personalized approach (by giving a specific person as a responsible/contact person) is helpful. That person could leave the company. A departmental approach seems more reasonable.
5.1 d, limited to critical outsourcing
5.1 e i) “a mapping of the “on site” and “off site” checked on the branches / agent and distributors”.
5.1 e ii) “IT systems, processes and infrastructure used by applicant’s agent and distributors to perform activity”
5.1 e iii) “agent and distributor the main characteristics and key points of the mandate agreement .., selection policy, monitoring procedure and agent training” We consider that the details of the required information (in 5.1 e) on agent are too large and that these details should be removed.
5.1 g could you clarify “close link” as this is unclear. This point should be removed from this guideline
6. Evidence of initial capital
OK
6.1 a, b
7. Measures to safeguard the funds of payment service users (applicable to payment services 1-6 only)
OK
7.1 a, b, c,
7.2 a, b, c, d
NOK
7.1 d “copy of a draft contract with credit institution, including explicit declaration … with article 10 of PSD2”. This is going too far and is not mentioned in article 10.
Who will do/issue this explicit declaration of compliance?
This should be removed
8. Governance arrangements and internal control mechanisms
OK
8.1 a, c, d, e, f
NOK
8.1 b “different level of periodical control …human resources allocated …”
The level of information required is far too detailed.
8.1 h are available in the outsourcing and agent contract. Covered in 5.1 d)?
8.1 i this is requesting a too detailed information
8.1 j this is requesting too many details to assess the risk perimeter of the EMI application.
9. Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
OK
9.1 a Ok on the principle, not on names of individuals
9.1 b
9.1 c
9.1 d
NOK
9.1 a) NOK to list individuals in charge to assist customer, this is not feasible.
This will depend on the case type, complexity, exposure…
Would remove individuals, individuals can change over time
10. Process to file, monitor, track and restrict access to sensitive payment data
OK
10.1 a, b, d,
10.1 g, I, j
NOK
10.1 c) could you clarify what monitoring tool you have in mind?
10.1 f) unclear what is expected and the extension to the relation with counterparties is, to our opinion, going too far.
10.1 h) list of individuals seems going in too many details
11. Business continuity arrangements
OK
11.1 a, b, c, d, e
12. The principles & definitions applicable to the collection of statistical data on performance, transactions & fraud
OK
12.1 a, h, i
NOK
12.1 b, c, d, e, f, g there is no need to request so many details to assess the frauds and the type of statistics collected
13. Security policy document
OK
13.1 a, b, c
13.1 e, f, g
NOK
13.1 d seems far too detailed to be part of the EMI application process
13.1 I) and j) points are redundant request with the rest of information already requested in g?
14. Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations)
OK
14.1 a, b, c, d, e, f, g, h
NOK
14.1 e) again the notion of a responsible individual should be replaced with a role (i.e. an AML officer)
15. Identity and suitability assessment of persons with qualified holdings in the applicant
OK
15.1 a, b, c
15.2 a, b, c, d, e, f, g, h, I, j
15.3 a, b, c, d, e, f, g, h, I, j, k, l, m, n, o, p, q, …, t
15.4 a, …, f
15.5 a, …, f
15.6 a, b
NOK
Define “qualified holdings”?
16. Identity and suitability assessment of directors and persons responsible for the management of the payment institution
OK
16.1 a, b, c, d, e,
17. Identity of statutory auditors and audit firms
OK
17.1 a, b
18 services and account information services
OK
18.1 a, b.
NOK
Could you clarify that the PII is mandatory for a company that is already a EMI and willing to offer PIS or AIS service.
And this even if the company is largely meeting the minimum own fund obligations?
Question 7: Do you consider the Guidelines regarding the assessment of completeness of the application, as set out in chapter 4.4 to be helpful? If not, please provide your reasoning.
The quantity of information required is very broad.As a consequence:
1) There is a risk to see applications approval for PI, EMI and new PIS / AIS provider be very long, costly and leading to a risk to see such new AIS / PIS services first developed outside Europe.
2) The point 1.5 on page 76 “required for update of application information”, considering the quantity of information to be provided, will lead to very regular updates of information towards NCA. Imposing a significant cost of compliance to the sector.
We would advise EBA to assess/compare the detailed list of the documents requested to Insurance, Credit institutions and PI/EMI to have a real understanding of the mandatory documentation to be provided.
The current draft also needs to clarify what will be the process for companies that are already registered as PI or EMI, what is the information that will be requested to expand their licenses?
Are they supposed to deliver a complete new application?