Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
Consequently with the above, we suggest that a minimum common criteria of acceptance for authorisation and/or registry is established and shared among all Competent Authorities. In our opinion, these authorities should be able to assess the business model of the service provider to ensure that it meets PSD2 requirements, with special attention to any services beyond the provisions detailed in article 18. However, it is important to point out that all business models must observe PSD2 and any other legal requirements. As an example, a company that provides advisory services regulated under MiFID must meet those requirements as any other financial services provider, in order to ensure a level playing field. Authorization under PSD2 requirements must not be understood as a shortcut to provide any type of services.
Finally, in order to ensure that this approach is binding, we suggest EBA to include it in guidelines 4, related to business plan.
Regarding the exemptions from the application of the procedure and conditions established in PSD2 for the Payment Institutions registry or authorization, we would like to suggest that the following information requirements should never be lifted:
Programme of operations.
Business Plan.
Measures to safeguard the funds of payment service users, in case it applies.
Governance arrangements and internal control mechanisms.
Procedure to monitor, handle and follow up on security incidents and security-related customer complaints.
Security policy document.
Professional indemnity insurance or comparable guarantee for payment initiation services and account information services.
This information is essential to understand the business model and functioning of the services provider. We consider that this information will allow the supervisor to anticipate risks and request mitigation measures prior to starting operations. Regarding this last issue, we would like to highlight the importance of not allowing these service providers to start operating until the registry/authorisation process is complete. To ensure this, we would like to suggest EBA to extend the guidelines to include new provisions stating that this registry will not be completed until the Competent Authority has assessed all the information required by these guidelines.
In this regard, we would like to remark the potential evolution of PIS, AIS and e-money providers. In this regard, any changes in their business model that might affect the services provided under PSD2, as well as any changes related to any of the requirements mentioned in these guidelines, must be informed and verified by the authority.
Finally, we agree with EBA’s approach to establish a level playing field for AIS, PIS, and electronic money institutions in these guidelines. We would suggest the EBA to consider the inclusion of references to providers engaged in exchange services between virtual currencies and fiat currencies" and "custodian wallet providers", in the case that these providers become obliged entities under the Anti-money Laundering Directive.
It is our understanding that both categories of service providers, when conducting business from within the EU, typically operate under either PSP or EMI licenses in consideration of associated fiat currencies services."
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
EBA has stated in the rationale that the information regarding the business activity and description of business models must be submitted as a description. We agree with this approach as new business models not included in a list might arise and limiting the business models accepted to some items might potentially hinder the creation of new value propositions. However, there are some concerns related to this option: as it takes into account a qualitative approach, differences might arise between Competent Authorities on the criteria of acceptance of certain business models. This might lead to an uneven playing field among States.Consequently with the above, we suggest that a minimum common criteria of acceptance for authorisation and/or registry is established and shared among all Competent Authorities. In our opinion, these authorities should be able to assess the business model of the service provider to ensure that it meets PSD2 requirements, with special attention to any services beyond the provisions detailed in article 18. However, it is important to point out that all business models must observe PSD2 and any other legal requirements. As an example, a company that provides advisory services regulated under MiFID must meet those requirements as any other financial services provider, in order to ensure a level playing field. Authorization under PSD2 requirements must not be understood as a shortcut to provide any type of services.
Finally, in order to ensure that this approach is binding, we suggest EBA to include it in guidelines 4, related to business plan.
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
Although the potential economic risks of AIS are lower than those of the PIS, there are still some other relevant risks related to data breaches or reputational issues, which must be taken into account.Regarding the exemptions from the application of the procedure and conditions established in PSD2 for the Payment Institutions registry or authorization, we would like to suggest that the following information requirements should never be lifted:
Programme of operations.
Business Plan.
Measures to safeguard the funds of payment service users, in case it applies.
Governance arrangements and internal control mechanisms.
Procedure to monitor, handle and follow up on security incidents and security-related customer complaints.
Security policy document.
Professional indemnity insurance or comparable guarantee for payment initiation services and account information services.
This information is essential to understand the business model and functioning of the services provider. We consider that this information will allow the supervisor to anticipate risks and request mitigation measures prior to starting operations. Regarding this last issue, we would like to highlight the importance of not allowing these service providers to start operating until the registry/authorisation process is complete. To ensure this, we would like to suggest EBA to extend the guidelines to include new provisions stating that this registry will not be completed until the Competent Authority has assessed all the information required by these guidelines.
In this regard, we would like to remark the potential evolution of PIS, AIS and e-money providers. In this regard, any changes in their business model that might affect the services provided under PSD2, as well as any changes related to any of the requirements mentioned in these guidelines, must be informed and verified by the authority.
Finally, we agree with EBA’s approach to establish a level playing field for AIS, PIS, and electronic money institutions in these guidelines. We would suggest the EBA to consider the inclusion of references to providers engaged in exchange services between virtual currencies and fiat currencies" and "custodian wallet providers", in the case that these providers become obliged entities under the Anti-money Laundering Directive.
It is our understanding that both categories of service providers, when conducting business from within the EU, typically operate under either PSP or EMI licenses in consideration of associated fiat currencies services."