We welcome the opportunity to comment on the European Banking Authority’s consultation on the draft Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers.
Payments UK is the trade association launched in June 2015 to support the rapidly evolving payments industry. Payments UK brings its members and wider stakeholders together to make the UK’s payment services better for customers and to ensure UK payment services remain world-class.
Payments UK’s main roles:
• To be the payments industry’s representative body: providing an authoritative voice in the UK, Europe and globally, and working with stakeholders to share payments knowledge and expertise.
• To be a centre for excellence: supporting the UK payments industry to provide world-class payments, building on the experience, thought-leadership and project delivery expertise behind award-winning initiatives such as Paym, the Current Account Switch Service and Faster Payments.
• To deliver collaborative change and innovation: working on behalf of our members to benefit customers and UK plc, ensuring their needs are understood and met, both now and in the future.
2 OUR RESPONSE
Q1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
We are generally supportive of the underlying objectives of the Guidelines as specified in section 14 of the rationale.
We see strong links and interdependencies between the objectives and see merits in providing greater transparency and clarity for applicants (point 14a) so that those seeking to be authorised know, upfront, what information and evidence to provide. This in turn should encourage a more efficient and harmonised authorisation and registration process. This should also help to improve the quality of information and thus the achievement of the objectives for competent authorities and Member States specified in rationale points 14c and 14d.
It is important that a level playing field (point 14b) is maintained in order to avoid disparity between Member State regimes. Otherwise there is a danger that some firms might seek to exploit loop holes, which could introduce confusion and risk into the payments market and undermine payment service users’ trust and confidence, which would go against the stated aim in point 14e.
In terms of the level playing field approach, we think that this should ensure that different categories of institution submit requirements suitable to their level of risk. We feel the differences between the authorisation regimes should take into account the level of risk each player introduces into the ecosystem and does not necessarily mean that the same information should be provided by different categories of provider. This could be for example, the difference in level of risk (in the context of a read-across to the EBA’s proposed Guidelines for credit institutions) for a credit institution versus a small start-up AISP that plans only to serve a small number of accounts for financial inclusion purposes.
We recognise that the overarching objective of the EBA’s Guidelines is to mitigate the risks that allowing third party providers to access customer payments and data may bring. Whilst the vast majority of PISPs and AISPs looking to operate in the payments industry will be genuine businesses looking to compete and increase market share, there may also be a handful of malicious third parties which could pose a risk to the market.
Whilst mitigating the risks is critical, it must be ensured that any plans to mitigate these risks are carefully balanced against ensuring that third party authorisation is not so onerous as to discourage or prevent genuine firms from gaining the right to participate in the market. The Guidelines provided by the EBA are a move in the right direction, however, the EBA must assess whether the information requested by the Guidelines is relevant, proportional and effective in achieving their main objective and do not prove to be counter-productive (e.g. requesting security details which could be used maliciously as we discuss later in our response, or being overly onerous in what is requested). The EBA should also consider how these Guidelines will fit into the operational framework for managing information and registration of PISPs, AISPs and card based payment instrument issuers for the EBA Register which will not be consulted on until later in 2017.
We also think a further principle or objective needs to be considered to protect the information provided by applicants and to ensure that the type of information and level of detail sought does not, in and of itself, introduce a security risk. Currently, the Guidelines ask for highly detailed information on firms’ security architecture and processes. If this reached the wrong hands - such as an ill-intentioned employee within the firm or the competent authority, or was accessed by a third party (e.g. via hacking) – it could provide a blueprint for exploitation, posing a significant security threat.
As a further point, we feel the draft Guidelines focus a lot of attention on the information to be provided by PISPs and AISPs and needs to be bolstered to ensure the ongoing compliance with the authorisation requirements. There is a risk that the main requirement for becoming a PISP/AISP is simply constructing a good application to become authorised. As it stands, the Guidelines do not cover how competent authorities should ensure that authorised entities meet the authorisation requirements on an ongoing basis. Whilst we understand this was not in the EBA’s specific mandate, we feel this should be considered further.
We can see logic for the selection of option 1, which places the onus on the applicant to give serious consideration to the type of payment service it intends to provide, its legal categorisation and thus also the PSD2 legal provisions it must meet in delivering that particular service.
According to rationale point 19, the EBA considered a choice between development of a template and specifying a list of information and decided to proceed with the latter option to retain greater flexibility. We support the idea of encouraging a degree of flexibility. However, we think that there is a distinction to be made between providing transparency and clarity as to what type of information is required for submission and the level of detail that information contains. We feel that the draft Guidelines, as currently written, are too prescriptive in terms of the level of detail sought. We explore this concern further in our response to question 4.
We think it makes sense to make a clear distinction between the requirements for different types of PSP depending upon the extent and type of payment service they provide and thus to have four sets of Guidelines covering:
• Applicants to services 1-8 of Annex 1 (payment institutions)
• Applicants that apply exclusively to provide PIS
• Applicants that apply exclusively to provide AIS
• Applicants that are Electronic Money Institutions.
This would also appear to support the objective of ensuring transparency and clarity and the need for applicants to be clear at the outset as to the payment service(s) it is offering.
At the EBA Public Hearing, it was positive to note that the EBA already appreciates the concerns many have about the Guidelines already being long and difficult for very small FinTech firms to meet. One thing the EBA could consider to make the Guidelines less obstructive to smaller firms is to create a five-part structure, with the fifth structure taking into account smaller institutions whilst still meeting the legislative requirements of the Level 1 text. In the UK, the category of Small Payment Institution (SPI) has been beneficial in helping smaller firms meet regulatory requirements in a more proportionate way.
The combination of a flexible regulatory regime coupled with more innovative solutions, such as the FCA’s Regulatory Sandbox, has been a valuable exercise for both the regulator and the industry. In line with possible actions identified under the Green Paper for Retail Financial Services a ‘Project Innovate’ like model might be considered by the EBA or other Member States and sharing of this kind of information and development of a regime for smaller innovators across national competent authorities (NCAs) could be beneficial, especially in relation to the provisions under PSD2 to help develop the market for PISP and AISPs.
In terms of the Authorisation of EMIs, there is a considerable degree of overlap between the provisions of EMD and PSD. Accordingly, we think it could be beneficial to include E-Money Institutions (EMIs) in the scope of the Guidelines; this also gives further harmonisation to Member State approaches to EMI authorisation and gives more certainty to firms applying to be authorised. We do, however, feel the EBA should not make changes to what is permissible under the EMD. We also feel it would be helpful for firms for EBA to highlight where specific differences apply between the various authorisation regimes.
We also see a role for an open, trusted and globally-recognised identifier. The global Legal Entity Identifier was created as an ISO standard post the financial crash of 2008. Endorsed by the G20, and the system that supports it, the standard ensures greater transparency on who parties are engaging with in financial transactions to better understand exposure and risk. Payments UK supports the LEI being a requirement under the Guidelines as harmonised identification, based on open standards principles, will be crucial to the success of PSD2. A fragmented approach to identification could lead to a sub-optimal solution. The reuse of internationally recognised identifiers such as LEI could be beneficial to the ease of use and growth of the ecosystem. The use of LEI in the context of PSD2 authorisation is that of a reliable and verifiable identification of a legal entity, this would of course form part of a broader solution on secure communication, authentication and authorisation.
The LEI will help provide a reliable means for two parties to identify each other through a trusted means. The LEI is already cited in legislation across the EU and the globe, including EMIR, CRR, AIFMD and others. This means that many PSPs that will be providing payment services under PSD2 are likely to already have an LEI. It would be beneficial for this to be extended and that LEI should be incorporated as a requirement for those actors providing PISP and AISP services. This will lead to a more robust environment for identifying parties.
It is worth noting that in the context of other EBA mandates, for example ‘Professional Indemnity Insurance’ and ‘Passporting’, that LEI may also be useful. Under the final draft technical standards on cooperation and exchange of information for passporting the LEI is included in the template passport notifications, where available. It is also worth noting that a firm from a Member State with no Local Operation Unit (LOU) is able to obtain an LEI from a LOU in a different country or Member State.
On security, we feel that rather than firms submitting the significant amount of detail outlined in the Guidelines a better approach would be for the Guidelines to require certification in relation to ISO27001. For some industries, certification is a legal or contractual requirement. ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management process. This approach would allow for a more harmonised regime across different Member States. It would also mean that a competent authority could be more flexible in its requirements, not having to worry about protecting sensitive business data and requiring only an overview of security procedures.
Finally, it would be useful for the EBA to clarify whether these draft Guidelines apply also where the major operational or security incident originates outside the Union (e.g. when an incident impacts the services provided via a parent or a subsidiary established outside the Union) and affects, either directly or indirectly, the payment services provided by a payment service provider located in the Union.
We note that throughout the proposed Guidelines, the EBA request a significant amount of information which goes beyond the mandates of PSD2. We question the proportionality of this information, with some of our concerns highlighted below. We feel that the amount of information and the detail of the information requested could have a number of negative consequences on the market envisaged under PSD2 and also for the security of such firms. We would strongly suggest that the EBA moves to a more principles-based requirements as outlined in Article 5(1) of PSD2. Whilst we feel greater transparency and harmonisation is beneficial for the ecosystem envisaged under PSD2, we feel this could be best achieved under a principles-based approach rather than specifying the granular level of detail the EBA currently does in the draft Guidelines. Specifically, we have the following questions and comments:
1. A disproportionate amount of information is requested which details information on the specific security arrangements of an institution. Whilst only a snapshot in time, the information provided would be invaluable to a malicious actor wanting to attack financial institutions. The level of detail provides a comprehensive playbook on ways in which the organisation could be attacked (even to the extent of identifying individuals who could be targeted for further cyber attacks such as through social engineering) to try and gain a foothold onto the networks of the organisation.
2. What will the competent authority do with the security specific information once they’ve received it? Will they assess the solution for suitability and reject or require an improvement if they feel it is not suitable? The effort to review this level of information will be considerable and could cause delays in registration and authorisation. It could also potentially prevent or deter innovative solutions.
3. There is a lack of clarity about the basis upon which the competent authority will decide whether or not to grant authorisation. There does not appear to be anything in the Guidelines that will help the competent authority make those decisions, and whilst this appears outside of the scope of the Guidelines, our concern is that there is a risk of a race to the bottom or regulatory arbitrage if there is not sufficient detail on how the regulators in respective Member States are supposed to make judgements on all of the required documentation.
4. The degree of detail the applicant would need to go in would expend an enormous amount of time and energy. Considering that a number of the potential institutions for authorisation will be start-ups and more innovative players, a prescriptive approach won’t be the most appropriate and may also put off possible innovators.
5. We question the appropriateness of some of the requirements, for example, under Guideline 4.1, the competent authorities require “a marketing plan consisting of … an analysis of the payments market; an analysis of the company’s competitive position; a description of the clients, marketing materials and distribution channels; and the main conclusions of any marketing research carried out”. We question why a competent authority would require this kind of information from a prospective entity beyond knowing the stability of such an institution and the fact the institution has obtained professional indemnity insurance. This would contain sensitive competitive information which gives insights into particular business areas and business models; we do not feel it is appropriate for a competent authority to request this kind of information.
6. The Guidelines do not provide any information or direction on how the capabilities of the organisation would be recorded, or the technical measures required to ensure that the registered entity only provides certain services. The registration and authorisation of an entity is only the first stage of an ongoing process. PSPs would need to know what services the entity can provide and, ideally, there should be a technical measure to restrict the access that the registered entity can achieve. If PSPs have to consult a physical directory or registry that merely lists entities under each of the main headings then it would be very easy for mistakes to be made in allowing access. As we note, the Guidelines apply in full to applicants intending to obtain authorisation as a payment institution under the PSD2 but apply only partially to those applicants that intend to provide only account information services (AIS). As regards applicants that intend to provide only payment initiation services, some specific provisions of the Guidelines do not apply to them, we feel this should be more explicit. We also feel a PKI type solution in which digital certificates would be used to restrict capabilities would reduce the risk of excessive privileges being given to a third party.
One further point it would be helpful for the Guidelines to consider would be linkages (financial or otherwise) with other firms (whether they are authorised or not). It would also be helpful for the EBA to be more explicit in the principle of ‘possession of funds’ in relation to authorised payment institutions versus PISPs.
We note that throughout the proposed Guidelines, the EBA request a significant amount of information which goes beyond the mandates of PSD2. We question the proportionality of this information as outlined in our answer to the previous question. We feel that the amount of information and the detail of the information requested could have a number of negative consequences on the market envisaged under PSD2 and also for the security of such firms. We would strongly suggest the EBA move to more principles-based requirements as outlined in Article 5(1) of PSD2. Whilst we feel greater transparency and harmonisation is beneficial for the ecosystem envisaged under PSD2, we feel this could be best achieved under a principles-based approach rather than specifying the granular level of detail the EBA currently does in the draft Guidelines.
We query the EBA’s position on outsourcing arrangements (guideline 5.1(c)) and whether these extend to non-payment services that are outsourced. As under Article 19 of PSD2 (which refers to information that needs to be provided in respect of payment services) we assume that the scope of the EBA Guidelines only relate to payment services that are outsourced and that the Guidelines do not address outsourcing arrangements generally.
We feel that when it comes to elements of payment processing and fraud the EBA could benefit from more input from the industry. It is vital to ensuring confidence in payment services that the third parties adhere to sufficient security obligations which will heavily interlink with the RTS on strong customer authentication and secure communication. Once those RTS are finalised it would be easier to understand the security obligations which would be necessary. We would therefore welcome ongoing dialogue with the EBA on security obligations.
We have no specific comments beyond the issues raised under our answer to question 4. As with the authorisation of payment institutions, we would again encourage the EBA to stick to a more principles based approach to authorisation. Please see our answers to questions 3 & 4.
We have no specific comments beyond the issues raised under our answer to question 4. As with the authorisation of payment institutions and those seeking to become authorised as an AISP, we would again encourage the EBA to stick to a more principles-based approach to authorisation. Please see our answers to questions 3 & 4.
We welcome the Guidelines regarding the assessment of completeness of the application. One further aspect which would be helpful would be for further obligations on the competent authorities on giving further detail (for example, estimated timescales etc).