ESBG welcomes the opportunity to review and comment on these draft Guidelines.
The objectives set out by EBA under “1.2 Rationale” are both plausible and complete. ESBG should like to stress 2 objectives which in its view are extremely important:
- First, the objective to create a level playing field for applicants across Member States;
- Second, the objective of a harmonized supervision across the EU.
Both are critical enablers to achieve payment service user confidence and ultimately maintain the stability of the payment system.
a) Identification of service(s) to be provided: ESBG supports the recommended option (i.e. re-quire the applicant to submit a description of the type of payment services envisaged, including explanations as to the legal categorization of such services). In addition, NCAs should be pro-vided with a set of criteria to guide them in their assessment (as the description of services may differ significantly between applicants, and as new terminologies/methods may appear).
b) Specific information to be provided for authorization of payment institution: ESBG supports the recommended option (i.e. specifying a list of information items that applicants would be required to submit).
c) Structure of the Guidelines: ESBG supports the recommended option (i.e. to develop two dif-ferent sets of Guidelines: one for applicants to services 1-8 of Annex I of PSD2 and, in the same Guidelines, to include the specificities of those applicants that apply exclusively to PIS, and a second set of Guidelines for applicants that apply exclusively to AIS).
d) Electronic Money Institutions: ESBG would prefer option A (i.e. to make reference to the mutatis mutandis provision in the Guidelines to EMIs, instead of developing an additional and specific set of Guidelines for applicants for authorization as Electronic Money Institutions). Since the development of PSD1, ESBG stressed that EMI dispositions should be integrated with the PSD. The Commission, whilst not disagreeing with the concept, constantly argued that the revision cycles of both pieces of legislation were different, which prevented such inte-gration. There is no rationale for yet another separate treatment.
PSD2 Art. 32 provides that:
“1. Member States may exempt or allow their competent authorities to exempt, natural or legal persons providing payment services as referred to in points (1) to (6) of Annex I from the applica-tion of all or part of the procedure and conditions set out in Sections 1, 2 and 3, with the exception of Articles 14, 15, 22, 24, 25 and 26, where:
(a) the monthly average of the preceding 12 months’ total value of payment transactions executed by the person concerned, including any agent for which it assumes full responsibility, does not exceed a limit set by the Member State but that, in any event, amounts to no more than EUR 3 million. That requirement shall be assessed on the projected total amount of payment transac-tions in its business plan, unless an adjustment to that plan is required by the competent au-thorities; and
(b) none of the natural persons responsible for the management or operation of the business has been convicted of offences relating to money laundering or terrorist financing or other financial crimes.
2. Any natural or legal person registered in accordance with paragraph 1 shall be required to have its head office or place of residence in the Member State in which it actually carries out its busi-ness.
3. The persons referred to in paragraph 1 of this Article shall be treated as payment institutions, save that Article 11(9) and Articles 28, 29 and 30 shall not apply to them.
4. Member States may also provide that any natural or legal person registered in accordance with paragraph 1 of this Article may engage only in certain activities listed in Article 18.
5. The persons referred to in paragraph 1 of this Article shall notify the competent authorities of any change in their situation which is relevant to the conditions specified in that paragraph. Mem-ber States shall take the necessary steps to ensure that where the conditions set out in paragraph 1, 2 or 4 of this Article are no longer met, the persons concerned shall seek authorisation within 30 calendar days in accordance with Article 11.
6. Paragraphs 1 to 5 of this Article shall not apply in respect of Directive (EU) 2015/849 or of national anti-money- laundering law”.
In ESBG’s view, the PSD already provides for a proportionality regime in Art. 32.1(a). Consider-ing the potentially rapid business development new entrants may experience, the relatively untest-ed experience of NCAs in this area, and the need for harmonization and level playing field, ESBG would not be in favor of exemptions beyond those stipulated in PSD2.
ESBG generally agrees with the draft Guidelines “on the information to be provided for the au-thorization as payment institutions and e-money institutions and for the registration as account information service providers”, with the following comments which should lead to an amendment:
- “possession of funds” (3.1.(b)) should be clearly defined in order to prevent any misinterpreta-tion. Even where the possession of funds is not the ultimate outcome or purpose, even a tem-porary “possession” should be in scope of this requirement.
- Who is a “client” (4.1.(a)) should be clearly defined, in order to prevent any misrepresentation, i.e. the terminology covers both originators and beneficiaries, whether directly or indirectly served by a payment institution. Indeed, both payment service users (i.e. private individuals as account holders) and beneficiaries (the same, or corporates) may be clients of payment institu-tions.
- Item 10 of these draft Guidelines should apply not only for “sensitive data”, but for any data used and possibly held by the institutions in scope. Indeed, “sensitive data” remains an unde-fined quantity, which may be sensitive, or not, depending on a number of variables. Any data held (even temporarily) by the institutions in scope must be protected in line with the GDPR. In this respect the said institutions should also be required to appoint a data protection officer, whose details need to be made public.
- Should there be outsourcing arrangements, then their description should cover security and data protection dispositions in great detail.
ESBG generally agrees with the draft Guidelines “on information required for applicants for regis-tration for the provision of only service 8 of Annex 1 PSD2 (account information services”, with the following comments which should lead to an amendment:
- Where “other services” are provided by an account information services providers, a descrip-tion of any effective “Chinese walls” in place between these services and account information services should be part of the registration application, and of the NCA’s criteria to respond positively to such application.
- The remarks made above (Q4) with respect to the definition of “client” apply here too.
- The remarks made above (Q4) with respect to outsourcing arrangements apply here too.
- The remarks made above (Q4) with respect to “sensitive data” apply here too.
- If “national or international payment system” are to be understood as clearing and settlement arrangements, then is no reason why account information service providers would need to ac-cess them.
With respect to the draft Guidelines “on information required for applicants for authorization as electronic money institutions”, ESBG would like to refer to its comment under Q2(d) above. In view of the widely similar draft Guidelines to those for payment institutions, ESBG’s remark would appear to be much vindicated.