EBA has stated in the rationale that the information regarding the business activity and description of business models must be submitted as a description. We agree with this approach as new business models not included in a list might arise and limiting the business models accepted to some items might potentially hinder the creation of new value propositions. However, there are some concerns related to this option: as it takes into account a qualitative approach, differences might arise between Competent Authorities on the criteria of acceptance of certain business models. This might lead to an uneven playing field among States.
Consequently with the above, we suggest that a minimum common criteria of acceptance for authorisation and/or registry is established and shared among all Competent Authorities. In our opinion, these authorities should be able to assess the business model of the service provider to ensure that it meets PSD2 requirements, with special attention to any services beyond the provisions detailed in article 18. However, it is important to point out that all business models must observe PSD2 and any other legal requirements. As an example, a company that provides advisory services regulated under MiFID must meet those requirements as any other financial services provider, in order to ensure a level playing field. Authorization under PSD2 requirements must not be understood as a shortcut to provide any type of services.
Finally, in order to ensure that this approach is binding, we suggest EBA to include it in guidelines 4, related to business plan.
Although the potential economic risks of AIS are lower than those of the PIS, there are still some other relevant risks related to data breaches or reputational issues, which must be taken into account.
Regarding the exemptions from the application of the procedure and conditions established in PSD2 for the Payment Institutions registry or authorization, we would like to suggest that the following information requirements should never be lifted:
Programme of operations.
Measures to safeguard the funds of payment service users, in case it applies.
Governance arrangements and internal control mechanisms.
Procedure to monitor, handle and follow up on security incidents and security-related customer complaints.
Security policy document.
Professional indemnity insurance or comparable guarantee for payment initiation services and account information services.
This information is essential to understand the business model and functioning of the services provider. We consider that this information will allow the supervisor to anticipate risks and request mitigation measures prior to starting operations. Regarding this last issue, we would like to highlight the importance of not allowing these service providers to start operating until the registry/authorisation process is complete. To ensure this, we would like to suggest EBA to extend the guidelines to include new provisions stating that this registry will not be completed until the Competent Authority has assessed all the information required by these guidelines.
In this regard, we would like to remark the potential evolution of PIS, AIS and e-money providers. In this regard, any changes in their business model that might affect the services provided under PSD2, as well as any changes related to any of the requirements mentioned in these guidelines, must be informed and verified by the authority.
Finally, we agree with EBA’s approach to establish a level playing field for AIS, PIS, and electronic money institutions in these guidelines. We would suggest the EBA to consider the inclusion of references to providers engaged in exchange services between virtual currencies and fiat currencies" and "custodian wallet providers", in the case that these providers become obliged entities under the Anti-money Laundering Directive.
It is our understanding that both categories of service providers, when conducting business from within the EU, typically operate under either PSP or EMI licenses in consideration of associated fiat currencies services."
We agree with this approach, as all companies must be authorised/registered according to the service that they provide. However, we would like to mention that this authorization and/or registration should not be considered as a shortcut to provide services beyond PSD2. In this regard, we would like to suggest that the EBA allows ASPSPs to access the information provided by third parties to the Competent Authority, with special focus on the information regarding the business model, in order to identify potential bad practices that might collide with the services registered. To report these practises we suggest the use of a contact point through the Competent Authority to clarify the issue. Lastly, to ensure the proper functioning of this ecosystem, we would like to suggest that any PSP should be able to access the updated information of this registry in real-time. Allowing the public access to the information, that should not be on behalf of the secrecy provisions already stated in these guidelines, would provide greater transparency among the different service providers, resulting in the creation of a level playing field .
In order to ensure that all legal requirements beyond PSD2 are met, we suggest the inclusion of other items to ensure the correct functioning of the service provider in order to avoid potential risks that might affect the customer and the ASPSP: erase procedure, onboarding / offboarding procedures. These processes must follow GDPR requirements and ensure that there is a symmetry between the onboarding and offboarding procedures. The inclusion of those items should not be on behalf the secrecy provisions already established in these guidelines.