Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
Should a combined entity provide separate applications for PISP and AISP business? Or is it enough that a combined entity applies to be a PISP as the requirements are higher on a PISP. If so will the applicant not need to even state that it is also an AISP?
Having two completely separate applications seems inefficient as some of the material will be the same in both applications.
One suggestion would be to only apply for the service that is the primary service, if the secondary is limited and has a smaller impact on the whole business. E.g. an AIS that also initiate payments to enable for the PSU to make transfers between bank accounts and pay invoices only applies for an AISP license. In such a case it there could be exemptions to apply for services that are only secondary and limited in importance.
A clearer guideline from the EBA on how combined services should be treated is very much needed. Without such a guideline it is most likely that the Member States will treat combined entities differently between the states. The likely result is that Member States with less cumbersome application process would be more attractive, which would go against the objective of “A level playing field” (recital 14 b.).
Although we agree with the option chosen by the EBA, we would not like to rule out option C. We believe that the combination of Option A and Option C would be the best fit. Having a list of examples, even a non-exhausted list, would be very beneficial for the applicant in the process of preparing the application. Judging from the guideline the material to be included in the application is very comprehensive. Option A gives an early indication of whether the applicant has made the right choice in its application that indication comes after the application has been submitted. The applicant will have spent a lot of time and resources building the application only to find out that it needs to be changed. Therefore, it would be beneficial for the applicant to early on get a guideline on which service it should apply for.
As the intent of the EBA is to limit incorrect applications we believe that a list of examples would further reduce the risk of incorrect applications. We also don’t see that one option excludes the other, but that option C would be a good complement to option A.
Furthermore, according to Recital 21 the EBA has chosen option C, i.e. to develop 2 different guidelines and to include PISPs in the guidelines for payment institutions. A reason for this is that “…PIS have the legal nature of payment institutions…”. We would argue that there is a fundamental difference between a payment institution and a PISP, which is that the PISP doesn’t handle funds. In order for the PISP to share the guideline with the payment institutions it is vital that it is clearly expressed in the guideline which requirements would not be put on the PISP. Although the EBA has indicated some requirements that are not applicable for PISPs we believe that it is not enough. That a PISP doesn’t handle funds should put substantially lower demands on a PISP, partly because they don’t have control over the funds like the payment institutions have. The PISP cannot be required to be held to the same standards when it comes to e.g. AML and fraud, simply because they are only initiating the payments, they do not control them. As an example, chapter 4.1 guideline 4.1 c) i. require the PISP to produce a forecast balance sheet including stress scenarios. For an entity that doesn’t handle funds this requirement has no value. As the PISP only initiates payments it will not carry anything on their balance sheet. The PISP doesn’t need to keep the same level of liquidity as a payment institution and it doesn’t need to borrow funds from others in order to manage the payment process.
When conducting a payment initiation through a PISP there always needs to be an ASPSP processing the actual payment. Therefore, we believe that the PISPs role when it comes to AML requirement is significantly less than for a payment institution. The PSU will already be a customer in the ASPSP in order for the PISP to process a payment from a payment account. As the PSU have a payment account in an ASPSP. Hence the AML requirements will, and should, already in place in the ASPSP. To place extra requirement to hold the PISP to the same level doesn’t add an additional level of security. A PISP with a limited scope, e.g. an AISP with transfer functionality, might just initiate transfers between the PSUs own, or known, accounts. In such a case it would be wrong to put heavy AML requirement on the PISP, partly because it will vastly decrease the user experience as the user e.g. has to go through the same KYC process twice, and partly because the PISP has very limited control over the PSUs payment account in the payment institution. A PISP could not freeze or block a PSUs payment account in the ASPSP. That is simply under the control of the ASPSP.
Due to the fundamental difference between PISPs and payment institutions we believe that a separate guideline is produced for the PISPs.
We believe that it should be clearly stated that applicants with a significantly limited scope should be given exceptions on specific application requirements. As an example, an AIS that also provide a transfer functionality for the PSU should not be able to provide all the information that is needed from a PISP whom is only involved in the PIS business. It would not be feasible for the AIS to give a market overview of PIS market, as the AIS is not really an actor in that competitive market.
In order for the proportionality measures to be applicable the EBA needs to give specific guidelines on how this should be handled.
First, we don’t see the reason for the marketing plan. We can’t understand how that would be relevant for the application, especially not the analysis of the payments market. By asking for the marketing plan the entities need to provide the CAs with highly confidential data about their strategies and plans going forward. That could of course be accepted, but as the value of this seems limited, or none, it strikes us as unnecessary. An analysis of the payment industry seems excessive, as hopefully the CAs already have a good understanding of the payment industry. Reasonably it should be enough that the PISP describes the nature of its business, and how it intends to provide PIS.
Guideline 4.1 c) i. states that the application should include a forecast for the balance sheet including target scenarios and stress scenarios. This requirement should be removed for PISPs that are not handling funds. The balance sheet will not be relevant unless the applicant handles funds. An PISP that are not handling funds won’t have any relevant transactions on the balance sheet, and hence that requirement lacks value.
As the PISP business is quite different from the payment institution we would welcome that PISPs are handled in a separate guideline, just like AISPs are.
Especially we believe that guideline 16 should be reduced for PISPs, in particular e) which seems more applicable to payment institutions than to PISPs.
Please also see our answers in question 2 to provide more information on this particular question.
However, it still seems that a lot of the requirements from chapter 4.2 is more related to a payment institution or a bank rather than an AISP that doesn’t handle funds. E.g. The guideline 10.1 a) states that the AISP should provide documentation on “a detailed risk assessment of the payment system”. Another example is the guideline 10.1 g) which states “the security of the payment process…”. An AISP doesn’t have a payment system as they are not handling funds or initiating payments.
Although we support the strong requirements on IT and security it is important to remember that the AISPs are not handling funds, or even initiating transactions. Therefore, it doesn’t seem reasonable that the AISP should include a description such as the examples above in its application. Guideline 10.1 g) iii. of the also states that the AISP should have in place a system and procedure for “transactional analysis and identification of suspicious and unusual transactions.” This also seems like demanding too much. We can’t see the rational for an AISP to have the obligation to report such transactions and behaviour. As the AISP are not in possession of funds, and not even initiating payments, it should not be their responsibility to track such transactions. Such responsibility should only be on the ASPSP. The AISPs are only mirroring the transactions occurring in the PSUs payment account in the ASPSP. The AISP is in no position to hinder or prevent any such behaviour. A requirement to track suspicious behaviour should exclusively be a requirement of ASPSPs that are handling funds. There is always an ASPSP involved from which the AISPs is tracking their data.
Guideline 4.1 c) requires the AISP to provide a forecast for its balance sheet. Again, as the AISP aren’t in possession of funds and doesn’t make transfer of funds its balance sheet projections are irrelevant. An AISP doesn’t, through the business of just being an AISP, have any major balance sheet transactions. Therefore, a forecast of the balance sheet doesn’t provide any necessary input for the CA. The same reasoning is valid for the stress scenarios; it should not be required of the AISP.
As stated in the previous question we see little relevance for the inclusion of a marketing plan, and we believe that this should be deleted.
Guideline 11 states requirements on identity and suitability assessment of Directors and persons responsible. Although we believe that certain parts of this section could be included it is much to comprehensive. Especially 11 d) seems not to be relevant. It is not feasible to ask the AISP to be on the same level when it comes to Directors as a payment institution. The scope of the two businesses are much too different.
Suggested changes: Guideline 4.1 a) i. should be removed. 4.1. c) I should only include income statement. Guideline 10 should be changed. 10 g) iii. should be removed completely. The other parts in the guideline that refers to payment systems needs to be rewritten to suit the AISP, or else they should be removed. 10.1 b) is a good requirement and should be kept, but a), g) iii. and h) should be deleted. Also, guideline 11.1 d) should be deleted or at least reduced.
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
The consultation paper only gives examples of how an entity should act if it is exclusively an AISP or exclusively an PISP, but there is no example of how an entity that is a combined AISP and PISP should act in terms of applications. We believe that it is clear how stand-alone AISPs and PISPs should apply and what the frame work is for their applications. What we are missing is what frame work applies to a combined AISP and PISP. The headline of chapter 4.1 implies that it also includes AISPs “…services 1-8 of Annex I PSD2”, but the exemptions in 4.1 only refers to providers that only provides PIS. A provider of both AIS and PIS is not only a PISP. Would that mean that the exemptions are not related a combined provider? I.e. would a combined provider be obligated to apply as a full payment institution?Should a combined entity provide separate applications for PISP and AISP business? Or is it enough that a combined entity applies to be a PISP as the requirements are higher on a PISP. If so will the applicant not need to even state that it is also an AISP?
Having two completely separate applications seems inefficient as some of the material will be the same in both applications.
One suggestion would be to only apply for the service that is the primary service, if the secondary is limited and has a smaller impact on the whole business. E.g. an AIS that also initiate payments to enable for the PSU to make transfers between bank accounts and pay invoices only applies for an AISP license. In such a case it there could be exemptions to apply for services that are only secondary and limited in importance.
A clearer guideline from the EBA on how combined services should be treated is very much needed. Without such a guideline it is most likely that the Member States will treat combined entities differently between the states. The likely result is that Member States with less cumbersome application process would be more attractive, which would go against the objective of “A level playing field” (recital 14 b.).
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
Recital 16 of the consultation paper states 3 options which the EBA has considered. Following in recital 17 it is stated that the preferred option (Option A) is for the applicant to submit a description of its services including explanations of the legal categorisation to the CA. It is not clear whether this is meant as a stand-alone application, like a pre-application, or if it is more as an executive summary to the full application. If the thought of the EBA is that this description is a part of the full application, we welcome it as a good way to get an early indication. However, it is very much dependant on that the CA act quickly and pre-screen the description part of the application. We would welcome a time line to be set for such a screening.Although we agree with the option chosen by the EBA, we would not like to rule out option C. We believe that the combination of Option A and Option C would be the best fit. Having a list of examples, even a non-exhausted list, would be very beneficial for the applicant in the process of preparing the application. Judging from the guideline the material to be included in the application is very comprehensive. Option A gives an early indication of whether the applicant has made the right choice in its application that indication comes after the application has been submitted. The applicant will have spent a lot of time and resources building the application only to find out that it needs to be changed. Therefore, it would be beneficial for the applicant to early on get a guideline on which service it should apply for.
As the intent of the EBA is to limit incorrect applications we believe that a list of examples would further reduce the risk of incorrect applications. We also don’t see that one option excludes the other, but that option C would be a good complement to option A.
Furthermore, according to Recital 21 the EBA has chosen option C, i.e. to develop 2 different guidelines and to include PISPs in the guidelines for payment institutions. A reason for this is that “…PIS have the legal nature of payment institutions…”. We would argue that there is a fundamental difference between a payment institution and a PISP, which is that the PISP doesn’t handle funds. In order for the PISP to share the guideline with the payment institutions it is vital that it is clearly expressed in the guideline which requirements would not be put on the PISP. Although the EBA has indicated some requirements that are not applicable for PISPs we believe that it is not enough. That a PISP doesn’t handle funds should put substantially lower demands on a PISP, partly because they don’t have control over the funds like the payment institutions have. The PISP cannot be required to be held to the same standards when it comes to e.g. AML and fraud, simply because they are only initiating the payments, they do not control them. As an example, chapter 4.1 guideline 4.1 c) i. require the PISP to produce a forecast balance sheet including stress scenarios. For an entity that doesn’t handle funds this requirement has no value. As the PISP only initiates payments it will not carry anything on their balance sheet. The PISP doesn’t need to keep the same level of liquidity as a payment institution and it doesn’t need to borrow funds from others in order to manage the payment process.
When conducting a payment initiation through a PISP there always needs to be an ASPSP processing the actual payment. Therefore, we believe that the PISPs role when it comes to AML requirement is significantly less than for a payment institution. The PSU will already be a customer in the ASPSP in order for the PISP to process a payment from a payment account. As the PSU have a payment account in an ASPSP. Hence the AML requirements will, and should, already in place in the ASPSP. To place extra requirement to hold the PISP to the same level doesn’t add an additional level of security. A PISP with a limited scope, e.g. an AISP with transfer functionality, might just initiate transfers between the PSUs own, or known, accounts. In such a case it would be wrong to put heavy AML requirement on the PISP, partly because it will vastly decrease the user experience as the user e.g. has to go through the same KYC process twice, and partly because the PISP has very limited control over the PSUs payment account in the payment institution. A PISP could not freeze or block a PSUs payment account in the ASPSP. That is simply under the control of the ASPSP.
Due to the fundamental difference between PISPs and payment institutions we believe that a separate guideline is produced for the PISPs.
Question 3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
It is welcome, and needed, that the EBA proposes proportionality measures. It would not be fair to have significantly smaller entities, operating at a smaller scope, to provide the same detailed application as large corporations. However, we would like to see stronger guidelines on how this should be adopted. The current guidelines give the applicants the opportunity to adjust their application, but we fear that the applicant and the CA would not have the same perspective if there are not any clear guidelines. Also, there is once again a risk that the member states implement this in different ways creating an uneven playing field.We believe that it should be clearly stated that applicants with a significantly limited scope should be given exceptions on specific application requirements. As an example, an AIS that also provide a transfer functionality for the PSU should not be able to provide all the information that is needed from a PISP whom is only involved in the PIS business. It would not be feasible for the AIS to give a market overview of PIS market, as the AIS is not really an actor in that competitive market.
In order for the proportionality measures to be applicable the EBA needs to give specific guidelines on how this should be handled.
Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
We appreciate, and support, that the EBA has given some exemptions for PISP as they are not handling any money. However, we believe that more exceptions are needed as it is not fair to put, almost, the same requirements on PISPs as on payment institutes that are handling funds.First, we don’t see the reason for the marketing plan. We can’t understand how that would be relevant for the application, especially not the analysis of the payments market. By asking for the marketing plan the entities need to provide the CAs with highly confidential data about their strategies and plans going forward. That could of course be accepted, but as the value of this seems limited, or none, it strikes us as unnecessary. An analysis of the payment industry seems excessive, as hopefully the CAs already have a good understanding of the payment industry. Reasonably it should be enough that the PISP describes the nature of its business, and how it intends to provide PIS.
Guideline 4.1 c) i. states that the application should include a forecast for the balance sheet including target scenarios and stress scenarios. This requirement should be removed for PISPs that are not handling funds. The balance sheet will not be relevant unless the applicant handles funds. An PISP that are not handling funds won’t have any relevant transactions on the balance sheet, and hence that requirement lacks value.
As the PISP business is quite different from the payment institution we would welcome that PISPs are handled in a separate guideline, just like AISPs are.
Especially we believe that guideline 16 should be reduced for PISPs, in particular e) which seems more applicable to payment institutions than to PISPs.
Please also see our answers in question 2 to provide more information on this particular question.
Question 5: Do you agree with the Guidelines on information required from applicants for registration for the provision of only service 8 of Annex I PSD2 (account information services), as set out in chapter 4.2? If not, please provide your reasoning.
We welcome a separate guideline for AISPs as they are not handling money or initiating payments. Furthermore, we also welcome and support that the EBA are placing rigid requirements on IT and security of the AIS. It is important that AISPs provide a solid and secure IT environment as they handle sensitive data.However, it still seems that a lot of the requirements from chapter 4.2 is more related to a payment institution or a bank rather than an AISP that doesn’t handle funds. E.g. The guideline 10.1 a) states that the AISP should provide documentation on “a detailed risk assessment of the payment system”. Another example is the guideline 10.1 g) which states “the security of the payment process…”. An AISP doesn’t have a payment system as they are not handling funds or initiating payments.
Although we support the strong requirements on IT and security it is important to remember that the AISPs are not handling funds, or even initiating transactions. Therefore, it doesn’t seem reasonable that the AISP should include a description such as the examples above in its application. Guideline 10.1 g) iii. of the also states that the AISP should have in place a system and procedure for “transactional analysis and identification of suspicious and unusual transactions.” This also seems like demanding too much. We can’t see the rational for an AISP to have the obligation to report such transactions and behaviour. As the AISP are not in possession of funds, and not even initiating payments, it should not be their responsibility to track such transactions. Such responsibility should only be on the ASPSP. The AISPs are only mirroring the transactions occurring in the PSUs payment account in the ASPSP. The AISP is in no position to hinder or prevent any such behaviour. A requirement to track suspicious behaviour should exclusively be a requirement of ASPSPs that are handling funds. There is always an ASPSP involved from which the AISPs is tracking their data.
Guideline 4.1 c) requires the AISP to provide a forecast for its balance sheet. Again, as the AISP aren’t in possession of funds and doesn’t make transfer of funds its balance sheet projections are irrelevant. An AISP doesn’t, through the business of just being an AISP, have any major balance sheet transactions. Therefore, a forecast of the balance sheet doesn’t provide any necessary input for the CA. The same reasoning is valid for the stress scenarios; it should not be required of the AISP.
As stated in the previous question we see little relevance for the inclusion of a marketing plan, and we believe that this should be deleted.
Guideline 11 states requirements on identity and suitability assessment of Directors and persons responsible. Although we believe that certain parts of this section could be included it is much to comprehensive. Especially 11 d) seems not to be relevant. It is not feasible to ask the AISP to be on the same level when it comes to Directors as a payment institution. The scope of the two businesses are much too different.
Suggested changes: Guideline 4.1 a) i. should be removed. 4.1. c) I should only include income statement. Guideline 10 should be changed. 10 g) iii. should be removed completely. The other parts in the guideline that refers to payment systems needs to be rewritten to suit the AISP, or else they should be removed. 10.1 b) is a good requirement and should be kept, but a), g) iii. and h) should be deleted. Also, guideline 11.1 d) should be deleted or at least reduced.