Response to consultation on the Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)
Go back
In the Netherlands there are measures and metrics, set forth in rules and regulations implemented by law and in supervisory policies, aimed at guaranteeing the availability of core payment infrastructures. We assume that the dedicated interfaces provided by ASPSPs in the Netherlands will be deemed part of these core payment infrastructures. Therefore, we assume that these EBA guidelines do not outweigh national supervisory practice and supervisory requirements as already set forth in national regulations, i.e. it should be sufficient to follow existing supervisory practice in fulfilling these EBA Guidelines. With that in mind we have interpreted and reviewed the draft guidelines.
Guideline 2
Regarding availability of services (uptime) we suggest to distinguish primetime (e.g. 06.00-01.00) from non-primetime (e.g. 01.00 – 06.00). Availability during primetime is considered much more important to the market in terms of user experience and overall business value, and therefore more critical than it is during non-primetime hours. By making this distinction an ASPSP must be able to prove that during primetime hours the calculation of uptime and downtime is similar for the dedicated interface compared to the interface of the ASPSP to its PSUs. During non-primetime hours an ASPSP should be able to explain to the National Competent Authority (NCA) why maintenance potentially has – in some cases – led to different uptime and downtime.
This approach then eliminates the need for a distinction between planned and unplanned downtime. In our opinion the definition of “planned downtime” is a difficult one, prone to measurement errors and potential loopholes. For example if an ASPSP decides that it will bring down its internet banking environment in a quarter of an hour from now, as it sees upcoming problems, can this be considered “planned” or not. Furthermore from a customer’s experience point of view it does not matter whether the downtime is planned or unplanned.
The proposed approach is in line with article 33.1 of the RTS on SCA and CSC insofar it relates to availability.
Considering performance statistics we believe that this is very time consuming and challenging to implement (response time, accuracy of information). We believe that availability statistics could suffice. Furthermore each PSP should only be held responsible for the performance and availability of components, in its own domain, i.e. excluding the availability or performance of the intermediary infrastructure – such as the internet and other interfaces – between the PSU and the PSP. We also want to refer to our general comment above.
Guideline 3
On the publishing of statistics we believe that quarterly figures and averages suffice, i.e. without a breakdown of daily figures. The RTS on SCA and CSC (article 32 sub 4) do not require the reporting of daily statistics. The impact of providing daily figures is disproportionate to the value of the added detail. Furthermore, it would hinder the view of market participants as to what is evidently important to them: is there sufficient availability during primetime? For these reasons, we would strongly recommend the EBA not to pursue this breakdown into daily figures.
We also refer to our general comment mentioned previously.
GL 6.2 b mentions the ability to exchange certificates for electronic seals AND qualified web authentication certificates. However, Article 34 of the RTS states that ‘payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 OR for website authentication as referred to in Article 3(39) of that Regulation.’ We would suggest following the RTS to keep this requirement consistent, or, if the chosen wording is intentional, explain and clarify this difference.
Rationale 64 raises concerns. Mentioned is that CAs decide how and in which form information of ASPSPs is delivered to the CAs to do their exemption assessment. The Dutch Payments Association is of the opinion that this could lead to fragmentation among Member States, in particular for PSPs that are active in several Member States, which could and should be avoided by uniform CA information requirements and process.
Furthermore the Dutch Payment Association and its members would like to have confirmed that an exemption granted by the CA in the Home Member State (in our case the Dutch Central Bank)
(i) can be passported throughout Europe and
(ii) without any host Member State being able to impose further requirements.
Question 1: Do you agree with the EBA’s assessments on KPIs and the calculation of uptime and downtime and the ASPSP submission of a plan to publishing statistics, the options that EBA considered and progressed or discarded, and the requirements proposed in Guideline 2 and 3? If not, please provide detail on other KPIs or calculation methods that you consider more suitable and your reasoning for doing so.
General commentIn the Netherlands there are measures and metrics, set forth in rules and regulations implemented by law and in supervisory policies, aimed at guaranteeing the availability of core payment infrastructures. We assume that the dedicated interfaces provided by ASPSPs in the Netherlands will be deemed part of these core payment infrastructures. Therefore, we assume that these EBA guidelines do not outweigh national supervisory practice and supervisory requirements as already set forth in national regulations, i.e. it should be sufficient to follow existing supervisory practice in fulfilling these EBA Guidelines. With that in mind we have interpreted and reviewed the draft guidelines.
Guideline 2
Regarding availability of services (uptime) we suggest to distinguish primetime (e.g. 06.00-01.00) from non-primetime (e.g. 01.00 – 06.00). Availability during primetime is considered much more important to the market in terms of user experience and overall business value, and therefore more critical than it is during non-primetime hours. By making this distinction an ASPSP must be able to prove that during primetime hours the calculation of uptime and downtime is similar for the dedicated interface compared to the interface of the ASPSP to its PSUs. During non-primetime hours an ASPSP should be able to explain to the National Competent Authority (NCA) why maintenance potentially has – in some cases – led to different uptime and downtime.
This approach then eliminates the need for a distinction between planned and unplanned downtime. In our opinion the definition of “planned downtime” is a difficult one, prone to measurement errors and potential loopholes. For example if an ASPSP decides that it will bring down its internet banking environment in a quarter of an hour from now, as it sees upcoming problems, can this be considered “planned” or not. Furthermore from a customer’s experience point of view it does not matter whether the downtime is planned or unplanned.
The proposed approach is in line with article 33.1 of the RTS on SCA and CSC insofar it relates to availability.
Considering performance statistics we believe that this is very time consuming and challenging to implement (response time, accuracy of information). We believe that availability statistics could suffice. Furthermore each PSP should only be held responsible for the performance and availability of components, in its own domain, i.e. excluding the availability or performance of the intermediary infrastructure – such as the internet and other interfaces – between the PSU and the PSP. We also want to refer to our general comment above.
Guideline 3
On the publishing of statistics we believe that quarterly figures and averages suffice, i.e. without a breakdown of daily figures. The RTS on SCA and CSC (article 32 sub 4) do not require the reporting of daily statistics. The impact of providing daily figures is disproportionate to the value of the added detail. Furthermore, it would hinder the view of market participants as to what is evidently important to them: is there sufficient availability during primetime? For these reasons, we would strongly recommend the EBA not to pursue this breakdown into daily figures.
Question 2: Do you agree with the EBA’s assessments on stress testing and the options it considered and progressed or discarded, and the requirements proposed in Guideline 4? If not, please provide your reasoning.
The terms used in GL 4, like ‘Extremely high number of requests’, ‘high number of concurrent sessions’ and ‘heavy loads’ are in our opinion too subjective. We believe that this should be covered in the existing Business Continuity Management (BCM) stress testing frameworks and implementations of the ASPSPs. It is a common practice to apply stress testing, in general much more extensive than GL4 suggests, before going live and these procedures are supervised by the NCA. Rationale 29 mentions this as well. Therefore we suggest EBA to remove GL 4.2. and adapt GL 4.3 as follows: “The ASPSP should provide to the competent authority a summary of the results of their regular BCM stress testing frameworks as applied before clearing the dedicated interface for real live usage, including but not limited to any weaknesses or issues identified and confirmation that these have been addressed.”We also refer to our general comment mentioned previously.
Question 3: Do you agree with the EBA’s assessments on monitoring? If not, please provide your reasoning.
This is in our opinion in correspondence with the usual business practice of PSPs. Our interpretation is such that monitoring by the CA does not influence the requirements for granting an exemption to an ASPSP.Question 4: Do you agree with the EBA’s assessments on obstacles, the options it considered and progressed or discarded, and the requirements proposed in Guideline 5? If not, please provide your reasoning.
Yes, we agree.Question 5: Do you agree with the EBA’s assessments for design and testing, the options it considered and progressed or discarded, and the requirements proposed Guideline 6? If not, please provide your reasoning.
Rationale 58 states that the PISPs/AISPs/CBPIIs are not obliged to undertake tests for the dedicated interfaces of ASPSPs. This might be legally correct, however it might impact the PSUs experience with the PISPs/AISPs/CBPIIs and therefore the perceived customer relationship with the ASPSP. Has this been foreseen by EBA and how does EBA consider the possible negative impact for the ASPSP? We would like EBA to elaborate on this point.GL 6.2 b mentions the ability to exchange certificates for electronic seals AND qualified web authentication certificates. However, Article 34 of the RTS states that ‘payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 OR for website authentication as referred to in Article 3(39) of that Regulation.’ We would suggest following the RTS to keep this requirement consistent, or, if the chosen wording is intentional, explain and clarify this difference.
Question 6: Do you agree with the EBA’s assessment for ‘widely used’, the options it considered and discarded, and the requirements proposed Guideline 7? If not, please provide your reasoning.
Yes, we agree.Question 7: Do you agree with the EBAs assessment to use the service level targets and statistical data for the assessment of resolving problems without undue delay, the options it discarded, and the requirements proposed Guideline 8? If not, please provide your reasoning.
Yes we agree to the extent that this is common supervisory practice. We see no reason to intensify supervision on this subject and we refer to our general remark mentioned previously.Question 8: Do you agree with the proposed Guideline 9 and the information submitted to the EBA in the Assessment Form in the Annex? If not, please provide your reasoning.
We support the pragmatic approach in the interest of a good customer journey and importance of the speed of implementation to a certain extent.Rationale 64 raises concerns. Mentioned is that CAs decide how and in which form information of ASPSPs is delivered to the CAs to do their exemption assessment. The Dutch Payments Association is of the opinion that this could lead to fragmentation among Member States, in particular for PSPs that are active in several Member States, which could and should be avoided by uniform CA information requirements and process.
Furthermore the Dutch Payment Association and its members would like to have confirmed that an exemption granted by the CA in the Home Member State (in our case the Dutch Central Bank)
(i) can be passported throughout Europe and
(ii) without any host Member State being able to impose further requirements.