The EBA has clarified in the Guideline 2 the minimum KPIs to provide by the ASPSP on its dedicated interface. Contrary to the KPI on the availability (2.2/2.4), the EBA hasn’t published a calculation method for the performance KPI (2.3). Without specifying a method, we would recommend to precise that this indicator would not take into account the capture of the PSU’s consent (this step could take some minutes due to the validation of the consent by the PSU). In the same principle, we suggest not to include the collect of the consent and the SCA in the KPI calculation.
Besides, we do not think that the provider of a dedicated interface can be responsible for the time needed by ASPSP to extract the data from its core banking and to provide this data to the TPP. The wording should be modified: “the time taken for the ASPSP to provide the PISP all information on the initiation of payment transaction” : it should be amended to avoid confusion between core banking time response and dedicated interface time response.
About Guideline 3, feeling that we will mix different time lines so we are not sure that the comparison will be accurate. Maybe to use the same time line to compare different benchmark
What is the definition of “extremely high number of requests”. Indeed stress test will happen just one time when the ASPSP will ask for exemption of a fall back mechanism. So the providers will continuously increase their machine capacity because it is clearly a competitive advantage. Question is : will EBA adjust in the time “this extremely high number of requests”
In 4.2, the word “Firms” is use; what is a firm? Indeed the dedicated platforms are stress tested only to give access to TPP as registered entity as defined in PSD2. So we would suggest to use the same wording and to replace “firms” by “PISP, AISP and CBPII”.
In 4.3, we understand that stress tests will be managed by ASPSP under their own responsibility. Does it mean that it could be a declaration on honour about weaknesses or issues identified during testing? Neither figures or results to provides to NCA?
In article 31 of this draft, the EBA writes” monitoring of KPI should take into account the level of the market activity, market intelligence and user complaints”. It means that not only quantity KPI but also quality KPI will be taken into account. Question is : do the 28 NCAs have the same level of information to manage such qualification?
If an ASPSP decides to use the “redirection” model which is not itself an obstacle as stated by the EBA in the §35, it will be difficult for an ASPSP to confirm that “the dedicated interface does not prevent PISPs and AISPs from relying upon the security credentials issued by the ASPSP” (Guideline 5 – 5.2. – a) ; in a “redirection” model the security credentials are entered and validated in the ASPSP domain (web site or mobile app).
In article 5.2.C, : how can an ASPSP confirm a workflow managed between PSU and TPP? An ASPSP can only describe its own processes; so maybe to review the wording / the sentence which is not appropriate.
At the point 44 the EBA states that “A summary of the documentation must also be publically available on the ASPSP Web Site”. However, this point is not mentioned in the Guideline 6 – 6.2. Our reading is that the ASPSP must publish publically (accessible by everyone even people which are not a TPP) a summary of the dedicated interface BUT not the full documentation which can be only accessible by TPP agreed or for which an agreement is pending. Can the EBA confirm this vision ?
The Guideline 6 – 6.3 indicates that the ASPSP must shared with the competent authority a summary of the result of the testing. What is exactly expected in this summary ? Number of AISP/PISP/CBPII who have accessed to the testing facilities ?
Besides, in article 6.4 of the guideline, only a market initiative standard is mentioned: what about proprietary standard implemented by certain ASPSP? In parallel what about the different specification that an ASPSP can request from its provider concerning the dedicated interface?
We can think that the number of requests issued by TPP will increase, so maybe to forecast the possibility to update on a regular basis the total number of TPP asking for testing the facility;
Also question is how an ASPSP can provide evidence that the dedicated interface is available for a wide usage. Which kind of evidence can an NCA expect?
In article 8.1.A, the draft mentions “information on the systems”: about which systems are we discussing? Indeed if the core banking is KO, sure that the ASPSP can neither transmit the data to the AIS nor execute a payment initiation. So risk for ASPSP to face with over volume of reporting on incidents if the word “systems in plural” is not detailed.
To avoid free interpretation by the 28 NCAs, would it be possible to list the rationale for refusal to grant an exemption? Indeed the guidelines list several criteria (PKI, wide use, …) : maybe to list at minimum the major criteria.
In the Guideline6 the EBA defines that one of the main goals of the testing facilities consists in testing the connectivity between AISP/PISP/CBPII and the ASPSP especially the usage of QWAC (Qualified Web Access Certificate) and/or QSEAL (Qualified Seal) issued by QTSP.
As described in the ETSI specification there will be a link between the National Competent Authority and the QTSP in the revocation process as well as the registration of certificates. These processe are still under definition and must be clarified as soon as possible to meet with the deadline.
It is essential that EBA stabilizes as soon as possible this guideline with a final version because some ASPSP are deploying their dedicated interface: so these new regulatory requirements about KPI, statistical reporting, capacity of testing, …, could have a financial impact to be calculated with their providers.
At least, each NCA must guarantee a strong respect of confidentiality regarding information transmitted by ASPSP because some of them are under NDA.
To conclude, a key point that we would like to underline: the comparison to be done to qualify the exemption for a fallback mechanism must remain the current solution based on webscrapping through the online interface used by the current TPP. The role of the NCA is not to force ASPSP to increase their interface capability with PKI uniformed between ASPSP. Just to be sure that the futue dedicated interface could be a regulatory standard to the current online interface.