Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Pillar 3 data hub
      • Reporting
        • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
        • Integrated reporting
        • Joint Bank Reporting Committee (JBRC)
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2024_7265 Proxy matrices
Question ID
2024_7265
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Other topics
Article
66,67
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
32.3
Type of submitter
Credit institution
Subject matter
Proxy matrices
Question

Are credit institutions (ASPSPs) allowed to facilitate proxy matrices implemented by their (corporate) clients that allocate proxy to only certain users to invoke the services of third party payment service providers (TPPs)?  

Background on the question

For (international) corporates the management of their bank accounts (initiating payments and viewing account information) poses significantly more risk compared to private individuals and SME businesses.  In a corporate client environment, such management entails risks that are exponentially higher due to:

  • the high number (millions) of payment transactions and (sensitive)(personal) payment data records;
  • the high numbers of users/employees with payment initiation and/or viewing rights;
  • corporates using multiple (electronic) channels and payment instruments;  
  • corporates having many bank accounts in many currencies in multiple countries, often with multiple (Pan-) European ASPSPs; and
  • the setup of their account and liquidity management may be subject to overarching cash management facilities and/or payment factories (centralisation of operations).

This results in risk being substantially higher for corporates (e.g. utility or telco companies, government/public agencies, tax authorities, media companies) compared to the context of a private individual or smaller business clients. To manage such risks corporates have comprehensive risk policies to identify, assess, and mitigate potential risks associated with payment processing. These risks include, but are not limited to, fraud, data breaches and business continuity. The factual day-to-day management of accounts is performed by users/employees appointed by the corporate or, in case of centralisation of account management, by group companies. Detailed proxy matrices are implemented by corporates with their ASPSPs to manage risk, particularly fraud and unauthorised access to sensitive company information and personal data included in transaction information. Authority/proxy to users is granted in accordance with the local (civil and corporate) law requirements of the country of incorporation of the corporate/accountholder.

Proxy matrices generally are very detailed, they cater for users to have access to one/more/all accounts and generally include limitations/conditions: joint or several (levels of) authorisation, authorisation up to certain amounts, access through one or more electronic channels/payment instruments, local/regional/global authority and use of certain payment products. A user can have access to one or more electronic channels/payment instruments with different transaction/daily limits applying to each of them. The corporate’s governance framework/policy sets the internal rules, however, the relevant controls effectuating such governance framework/policy are (also) implemented through authorisation instruments issued by the corporate’s ASPSPs. For ASPSPs it is paramount to abide by the proxy matrices to prevent the risk of unauthorised payment transactions and/or (personal) data leakage.

With the introduction of Open Banking a new ‘PSD2 channel’ has become available to corporates to manage accounts. Consequently, to manage and control above risks, they may further diversify their proxy matrices and specify if and to what extent a user has authority to manage accounts through third part payment service providers (TPPs). As Open Banking services can be invoked by users through mobile apps, corporates implement further conditions to control which sensitive and personal data may be shared with whom, e.g. by detailing in their proxy matrices which users may have access to (certain) accounts through TPPs without necessarily duplicating the proxy matrix existing for the ASPSP’s proprietary channels.

It is a general principle of law that a corporate has sole discretion how to manage its assets (including bank accounts) and to which users/employees it so grants authority and subject to what conditions. Paragraph 46 of the EBA’s Opinion on obstacles (EBA/OP/2020/10) acknowledges that only certain users may have authority to operate accounts. So, a user may have authority to manage one or more accounts through one or more channels subject to applicable conditions, e.g. different limits may apply for one user: a limit of 1500,- for a card, a limit of 100.000,- for electronic banking and no limit for host-to-host channel. 

Submission date
03/12/2024
Status
Question under review
Answer prepared by
Answer prepared by the EBA.

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive