Supplementing the already determined objectives of the aspired ‘level playing field’, of the ‘contribution to a harmonised supervision across the EU’ as well as the aspired fulfilment of the EBA’s statutory objectives, we suggest a seventh objective, that is ‘providing assistance for CAs to overcome any challenges arising from static requirements by PSD2 versus the meanwhile developing, innovative market needs’.
Reasoning: PSD2 and its complementary requirements by the diverse EBA mandates show how demanding it is to regulate the innovative financial technology market. CAs should be provided with appropriate means and sphere of responsibility to react to new developments in an agile but still “level playing field” way, e.g. processes for a necessary EU-wide cooperation between CAs on new/special business models under PSD2, to name an example (for details please see our response to Question 2 below).
With regard to the rationales no. 16-17, i.e. the identification of payment services - in general:
The EBA has deliberately refrained from providing a list of examples for PSD2-relevant types of payment services. The EBA refers to the downside, that an exhaustive list of such examples cannot be provided and could be misinterpreted as suggesting that only the business models used in the examples are permissible while other, potentially more innovative ones are not. figo in principle agrees with this argumentation and the decision for the chosen option. HOWEVER, while practising this option another significant detriment for the market might be caused which has to be considered. In terms of the aspired level playing field in Europe, it is questionable, how the different CAs are actually going to derive comparable conclusions when assessing similar business models.
To compensate for this identified gap, figo hereby suggests that the EBA determines requirements with regard to a regulated cooperation, i.e. an ongoing and - as far as possible - standardised exchange process between CAs regarding the identification and application of payment services. This is to make sure that for similar business models comparable decisions on the PSD2-applicability are derived by all engaged CAs. Consequently, the aspired objectives of a contribution to a harmonised supervision across the EU, the prevention of regulatory arbitrage and promotion of equal conditions for competition as well as the desired efficiency of the authorisation procedure - and this despite the complexity of new innovative business models - can actually be achieved.
With regard to the rationales no. 16-17, i.e. the identification of payment services - in particular:
An EU-wide mandatory and standardised exchange between CAs on business model assessments under PSD2 is of specific importance for innovative and nowadays already very successful models which were not considered (yet), when PSD2 was finalised.
From figo’s perspective one major example is the acceptance as well as the prevention of a possible over-regulation of our B2B-business partners as part of our own business model as a “Banking Service Provider”. For a detailed description of our business model, we refer to our previous consultation inputs to EBA, i.e. EBA-CP-2016-11 (RTS on SCA and communication) and EBA-CP-2016-12 (Guidelines on PII).
We offer B2B-services relating to the third party payment account access covered by PSD2 as well as services beyond that coverage. In regard of PSD2 figo aims at becoming an EU-regulated Payment Institution, i.e. a licensed PISP as well as a registered AISP.
There is a huge risk that successfully established innovation in the EU market will be ruined to a large extent, if CAs do not come to a joint conclusion on the acceptance of B2B-models like this. A business model in which a licensed/registered PISP/AISP (i.e. a newly regulated TPP) performs B2B-business, i.e. PIS and/or AIS on behalf of another company that uses these services only as a small feature in their product range should not only be accepted but even fostered by the EBA due to its enormous potential for economic growth in the European market. To make it more tangible, we categorized our B2B-business partners as follows:
- “Payment Feature Providers” = using a licensed PISP to integrate a PIS into their product, e.g. e-commerce use cases, factoring companies, credit transfer by photo or accounting and receivables management application providers.
- “Data Benefit Providers” = using a registered AISP to integrate an AIS into their product, e.g. account change/alert/monitoring providers, comparison portals or credit portals (in the latter case for risk management/credit rating purposes.
Today’s advanced market developments show an urgent need for this structure. Established innovations and successful use cases would be hindered to a large extent, if these described business models cannot be implemented in a legally watertight way. Especially context-related use cases of PIS and AIS are a major driver of the PSD2-intended innovation. End users tend to share their personal data in cases of benefits, such as more convenient and automated user processes for example. And there is still considerable room for more innovative business concepts on that PSD2-basis, which will lead to further economic growth for the European market. However and only if it is not unnecessarily over-regulated. The law and regulatory requirements have to involve itself on a second level, i.e. to meet these newly developed market needs and make sure that the processes requested by the consumer are built and maintained in a secure way, instead of generally limiting the consumer’s freedom.
Given the business model and strategies of Payment Feature Providers and Data Benefit Providers, who only make use of PIS/AIS as a component of their product range, they do not aim at becoming a licensed PISP or registered AISP. That is why today they already make use of market participants such as figo to access the financial resources of their own B2C-clients. They want a full PSD2-compliant service support by a regulated PISP/AISP besides their IT infrastructure needs. Being regulated and using outsourcing-solutions for all license-related efforts is also not an option for them as this approach still does not provide an appropriate balance between costs and benefits. As we discuss this situation with our B2B-partners on a daily basis, we see a huge market risk that they will rather forgo successful consumer friendly features instead of applying for an own authorisation/registration as PISP/AISP.
Moreover, the promotion of this business model, i.e. bundling PISP/AISP such as figo provide other benefits for the overall market, as their acceptance would lead to increased consumer and data protection as well as IT-Security by implementing centrally enforceable and effectively controllable standards from the perspective of EU-wide and national CAs as well as by the establishment of high-quality API infrastructure standards. To boost this effect, the EBA should consider to clarify on an European level that licensed/registered PISP/AISP, who offer B2B-services to Payment Feature and Data Benefit Providers should implement the following measures (and accordingly describe these processes to the CA, when applying for authorisation/registration):
- User agreements with end users to make sure the regulated TPP is still directly connected to the PSU and the TTP’s responsibilities according to PSD2 are directly prescribed and transparent for the end user as well as
- „Know Your B2B-Partner“-Processes, i.e. processes to make sure that the regulated TPP checks background/integrity/compliance/use case of his unregulated partners. In this way a filtered, i.e. risk-based and scaled transfer of PSD2 requirements from the bundling PISP/AISP to the Data Benefit Providers and/or Payment Feature Providers could be ensured.
Summing up and putting it in sharp terms, one might even think that an EU-wide mandatory and standardised exchange between CAs on business model assessment under PSD2 is not even enough to protect and boost this PSD2-B2B-case as it should be of high importance to promote its market potential instead of impeding it. That is why figo highly recommends that in this case the EBA should take a clear position and include a binding statement in the guidelines under consultation that B2B-business models with unregulated B2B-partners (Data Benefit Providers and Payment Feature Providers) are intended and accepted under certain conditions, such as the PSU agreements and “Know Your B2B-Partner-Processes”.
Yes. We assume that these rather abstract proportionality measures are the best possible solution.
Chapter 4.1/Guideline 4/a)
This guideline requires to file an analysis of the applicant’s competitive position. We kindly encourage the EBA to provide a statement with regard to the rational and purpose of this requirement. From our point of view it is hardly comprehensible in what way a competitor analysis does provide CAs with any added value for deciding over a license application. Rationale and purpose to share these insides with supervisory authorities should be clear for TPPs.
Chapter 4.1/Guideline 5/ g)
We refer to the obligation to provide “a list of all natural or legal persons that have close links with the applicant, indicating their identity and the nature of those links” and request a statement by the EBA with regard to the rational and purpose of this requirement. This will be significantly helpful to demarcate the intended group of natural and legal persons.
Chapter 4.1/Guidelines 9 – 11
It is noteworthy that EBA chose not to refer to any industry standards at all within the guidelines in general or in particular in the guidelines 9 - 11. Such as ISO 27001 and as for example done in the draft of Art. 21 Para. 6 of the EBA-RTS on SCA and secure communication (EBA-CP-2016-11) or ISO 20022. First of all we wonder, why this approach was chosen or if there was a specific reason not to mention any useful standards.
Moreover, we encourage EBA to give binding guidance on to what extent CAs can rely on industry standard certifications, such as ISO 27 001. As far as we know CAs over Europe have quite different approaches in that regard. One CA might rely on certifications only, one might check according audit reports by the certificate issuer and another CA might see the necessity to check information security processes in detail on their own, even if certifications and reports are available. This leads to a non-level-playing field within Europe as well as different levels of the desired efficiency of the authorisation procedure.
Chapter 4.1/Guideline 14
This guideline refers to providing documentation regarding internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations). We are aware that AML/CFT law - unfortunately - is still not regulated with a complete level playing field-approach within the EU. That is why we also used our consultation possibilities as part of the national PSD2 transposition to make clear the points explained below to the German legislator.
However, if EBA sees any chance to also consider the following aspects, we would highly appreciate any statement with regard to an appropriate proportionality of AML/CFT-obligations and measures for PISP and AISP - as these business models are new for all engaged CAs, they might also acknowledge a helping hand with regard to the scope of applicable AML/CFT requirements. A rationale in this matter on EU level could help to further fostering an AML/CFT law level playing field and further prevent regulatory arbitrage:
For obvious reasons when considering the business models of a PISP and AISP (no management of own payment accounts; making use of existing KYC-checked payment accounts of ASPSPs) there is explicitly no sense in a scattergun approach regarding AML/CFT-obligations for these new market players. This would only lead to double checks of PSUs (i.e. KYC by ASPSP and PISP for the same payment account) as well as double to triple checks of transactions and senseless but enormous efforts for the market as well as the already overloaded Financial Intelligence Units of national investigation authorities. We encourage legislators and authorities to consider a real added value alternative: it would be much more useful to take advantage of the genuine added value which would results from a demarcated and specific AML/CFT prevention program by AISP, that is by means of specific monitoring indicators, which are adapted to their business model. EBA should consider the innovative chances of AML/CFT prevention by means of the new all-round view on the PSU and what he/she is doing in the context of multibanking services, compared to the usual limited view on single account(s) by Anti Money Laundering Officers of ASPSPs. If EU and national legislators and authorities would bear in mind this huge opportunity for AML/CFT prevention in Europe and boost AISP as according AML/CFT-”overview”-subject matter experts instead of unnecessarily over-regulating PISP and AISP by the “full catalogue-AML/CFT-obligation”, the benefits could be significant for all market and authority players involved.
Chapter 4.1/Guideline 18
For this guideline it has to be considered by the EBA, that the separate consultation EBA-CP-2016-12 showed that the required PII by PISP/AISP could turn into a market barrier instead of the intended relief. At first sight, we welcomed the intended alternative of a PII/comparable guarantee compared to own funds requirements for us, as a we aim at becoming a PISP and AISP. However, over the course of dealing with the requirements in detail, we are afraid that the intended relief could become quite a market barrier for TPPs. So the provided feedback by TPPs as part of the separate consultation EBA-CP-2016-12 should be taken into account before finalising Chapter 4.1 Guideline 18 of the guidelines on authorisation/registration. Especially with regard to the request, that EBA should actively involve European and national Insurers Associations to discuss the consultation concerns and/or request official statements with regard to the actual intent to provide PISPs/AISPs with according PII policies before both guidelines under consultation are finalised. Only the insurance market itself can make a final assessment, if and under which conditions it is actually able to offer a compliant PII. This is especially important as at least the published consultation inputs to EBA-CP-2016-12 show no real participation of the insurance industry so far.
PSU agreements and Know Your B2B-Partner-Processes
We refer to our previous recommendations to expand obligations for PISP/AISP who offer B2B-business as described above, i.e. to Data Benefit Providers and Payment Feature Providers. For them it should be mandatory to implement and accordingly describe to the competent CA the following, when applying for authorisation/registration:
- User agreements with PSUs to make sure the regulated TPP is still directly connected to the PSU and the TTP’s responsibilities according to PSD2 are directly prescribed and transparent for the PSU.
- Processes to make sure that the regulated TPP checks background/integrity/compliance/use case of his unregulated B2B-partners.
As we intend to apply for a PISP-license and AISP-registration, we concentrated our consultation input on the accordingly applicable Chapter 4.1 of the guidelines. As the nature of the guidelines’ structure cause a lot of overlapping requirements, our input on Question 4 might be relevant for chapter 4.2 to a large extent accordingly.
As we intend to apply for a PISP-license and AISP-registration, we concentrated our consultation input on the accordingly applicable Chapter 4.1 of the guidelines. As the nature of the guidelines’ structure cause a lot of overlapping requirements, our input on Question 4 might be in parts relevant for chapter 4.3 accordingly.
We refer to our input on Question 1. We encourage the EBA to determine requirements with regard to a regulated cooperation, i.e. an ongoing and - as far as possible - standardised exchange process between CAs regarding the identification and application of payment services. This could also make sure that comparable decisions on the completeness of applications can be derived by all engaged CAs. For an example, we further refer to our suggestions with regard to reliance on industry standard certifications for information security measures (see Question 4).
Assessing completeness of according documentation, one CA might rely on certifications only, one might check according audit reports by the certificate issuer and another CA might see the necessity to check information security processes in detail on their own and will consider an application as complete if further documentation than certifications and reports are provided by the applicant. This leads to a non-level-playing field within Europe as well as different levels of the desired efficiency of the authorisation procedure.