Response to consultation on the Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)

Go back

Question 1: Do you agree with the EBA’s assessments on KPIs and the calculation of uptime and downtime and the ASPSP submission of a plan to publishing statistics, the options that EBA considered and progressed or discarded, and the requirements proposed in Guideline 2 and 3? If not, please provide detail on other KPIs or calculation methods that you consider more suitable and your reasoning for doing so.

The EBA has clarified in the Guideline 2 the minimum KPIs to provide by the ASPSP on its dedicated interface. Contrary to the KPI on the availability (2.2/2.4), the EBA hasn’t published a calculation method for the performance KPI (2.3). Without specifying a method, we would recommend to precise that this indicator would not take into account the capture of the PSU’s consent (this step could take some minutes due to the validation of the consent by the PSU). In the same principle, we suggest not to include the collect of the consent and the SCA in the KPI calculation.
Besides, we do not think that the provider of a dedicated interface can be responsible for the time needed by ASPSP to extract the data from its core banking and to provide this data to the TPP. The wording should be modified: “the time taken for the ASPSP to provide the PISP all information on the initiation of payment transaction” : it should be amended to avoid confusion between core banking time response and dedicated interface time response.
About Guideline 3, feeling that we will mix different time lines so we are not sure that the comparison will be accurate. Maybe to use the same time line to compare different benchmark

Question 2: Do you agree with the EBA’s assessments on stress testing and the options it considered and progressed or discarded, and the requirements proposed in Guideline 4? If not, please provide your reasoning.

What is the definition of “extremely high number of requests”. Indeed stress test will happen just one time when the ASPSP will ask for exemption of a fall back mechanism. So the providers will continuously increase their machine capacity because it is clearly a competitive advantage. Question is : will EBA adjust in the time “this extremely high number of requests”
In 4.2, the word “Firms” is use; what is a firm? Indeed the dedicated platforms are stress tested only to give access to TPP as registered entity as defined in PSD2. So we would suggest to use the same wording and to replace “firms” by “PISP, AISP and CBPII”.
In 4.3, we understand that stress tests will be managed by ASPSP under their own responsibility. Does it mean that it could be a declaration on honour about weaknesses or issues identified during testing? Neither figures or results to provides to NCA?

Question 3: Do you agree with the EBA’s assessments on monitoring? If not, please provide your reasoning.

In article 31 of this draft, the EBA writes” monitoring of KPI should take into account the level of the market activity, market intelligence and user complaints”. It means that not only quantity KPI but also quality KPI will be taken into account. Question is : do the 28 NCAs have the same level of information to manage such qualification?

Question 4: Do you agree with the EBA’s assessments on obstacles, the options it considered and progressed or discarded, and the requirements proposed in Guideline 5? If not, please provide your reasoning.

If an ASPSP decides to use the “redirection” model which is not itself an obstacle as stated by the EBA in the §35, it will be difficult for an ASPSP to confirm that “the dedicated interface does not prevent PISPs and AISPs from relying upon the security credentials issued by the ASPSP” (Guideline 5 – 5.2. – a) ; in a “redirection” model the security credentials are entered and validated in the ASPSP domain (web site or mobile app).
In article 5.2.C, : how can an ASPSP confirm a workflow managed between PSU and TPP? An ASPSP can only describe its own processes; so maybe to review the wording / the sentence which is not appropriate.

Question 5: Do you agree with the EBA’s assessments for design and testing, the options it considered and progressed or discarded, and the requirements proposed Guideline 6? If not, please provide your reasoning.

At the point 44 the EBA states that “A summary of the documentation must also be publically available on the ASPSP Web Site”. However, this point is not mentioned in the Guideline 6 – 6.2. Our reading is that the ASPSP must publish publically (accessible by everyone even people which are not a TPP) a summary of the dedicated interface BUT not the full documentation which can be only accessible by TPP agreed or for which an agreement is pending. Can the EBA confirm this vision ?
The Guideline 6 – 6.3 indicates that the ASPSP must shared with the competent authority a summary of the result of the testing. What is exactly expected in this summary ? Number of AISP/PISP/CBPII who have accessed to the testing facilities ?
Besides, in article 6.4 of the guideline, only a market initiative standard is mentioned: what about proprietary standard implemented by certain ASPSP? In parallel what about the different specification that an ASPSP can request from its provider concerning the dedicated interface?

Question 6: Do you agree with the EBA’s assessment for ‘widely used’, the options it considered and discarded, and the requirements proposed Guideline 7? If not, please provide your reasoning.

We can think that the number of requests issued by TPP will increase, so maybe to forecast the possibility to update on a regular basis the total number of TPP asking for testing the facility;
Also question is how an ASPSP can provide evidence that the dedicated interface is available for a wide usage. Which kind of evidence can an NCA expect?

Question 7: Do you agree with the EBAs assessment to use the service level targets and statistical data for the assessment of resolving problems without undue delay, the options it discarded, and the requirements proposed Guideline 8? If not, please provide your reasoning.

In article 8.1.A, the draft mentions “information on the systems”: about which systems are we discussing? Indeed if the core banking is KO, sure that the ASPSP can neither transmit the data to the AIS nor execute a payment initiation. So risk for ASPSP to face with over volume of reporting on incidents if the word “systems in plural” is not detailed.

Question 8: Do you agree with the proposed Guideline 9 and the information submitted to the EBA in the Assessment Form in the Annex? If not, please provide your reasoning.

To avoid free interpretation by the 28 NCAs, would it be possible to list the rationale for refusal to grant an exemption? Indeed the guidelines list several criteria (PKI, wide use, …) : maybe to list at minimum the major criteria.

Question 9: Do you have any particular concerns regarding the envisaged timelines for ASPSPs to meet the requirements set out in these Guidelines prior to the September 2019 deadline, including providing the technical specifications and testing facilities in advance of the March 2019 deadline?

In the Guideline6 the EBA defines that one of the main goals of the testing facilities consists in testing the connectivity between AISP/PISP/CBPII and the ASPSP especially the usage of QWAC (Qualified Web Access Certificate) and/or QSEAL (Qualified Seal) issued by QTSP.
As described in the ETSI specification there will be a link between the National Competent Authority and the QTSP in the revocation process as well as the registration of certificates. These processe are still under definition and must be clarified as soon as possible to meet with the deadline.

Question 10: Do you agree with the level of detail set out in the draft Guidelines as proposed in this Consultation Paper or would you have expected either more or less detailed requirements on a particular aspect? Please provide your reasoning.

It is essential that EBA stabilizes as soon as possible this guideline with a final version because some ASPSP are deploying their dedicated interface: so these new regulatory requirements about KPI, statistical reporting, capacity of testing, …, could have a financial impact to be calculated with their providers.
At least, each NCA must guarantee a strong respect of confidentiality regarding information transmitted by ASPSP because some of them are under NDA.
To conclude, a key point that we would like to underline: the comparison to be done to qualify the exemption for a fallback mechanism must remain the current solution based on webscrapping through the online interface used by the current TPP. The role of the NCA is not to force ASPSP to increase their interface capability with PKI uniformed between ASPSP. Just to be sure that the futue dedicated interface could be a regulatory standard to the current online interface.

Name of organisation

WORLDLINE