Response to consultation on the Technical Standards on the EBA Register under PSD2
Go back
Although EBA with the proposal under consultation would comply with PSD2 mandate for the elaboration of the RTS and ITS, it does not include banks in the central register (justified by the literal mandate of the PSD2 – paragraph 33 -Q4). This of course limits the register to a restricted number of potential TPPs, without including all relevant entities allowed to provide the regulated services described in Annex I of the PSD2 directive.
PSD2 requires ASPSPs to open the infrastructure to third party providers (TPPs). To ensure that only authorised TPPs (banks included) access the customer’s payment account, ASPSPs (mainly banks) should be able to check promptly the information about the TPPs from a reliable, legally-binding, real-time updated and consolidated register. To identify themselves, PSD2 also requires TPPs to obtain a qualified certificate for electronic seals from a Qualified Trust Service Provider (QTSP) dully authorized.
A reliable, legally-binding, real-time updated and consolidated register at EU level is required to ensure that all relevant parties can verify the appropriate information about any type of Payment Services Provider, acting as TPP. Due to the mandate conferred to it in the PSD2, the EBA is in an ideal position to develop a pan-European register with complete information on Payment Services Providers and which offers, as well adequate functionalities for operational purposes. Such a central register would fulfill all these needs.
If the current proposal, excluding banks and with limited functionalities, remains as it is, the register will not answer to the operational needs that ASPSPs (banks) face to identify TPPs that request access to clients’ accounts.
Consequently, ASPSPs would always have to refer to other sources of information, i.e. national registers, to access the most updated information. This greatly diminishes the utility and value of the EBA central register and, as a consequence, not only banks but also other types of Payment Services Providers would not use it.
Question 1: The option chosen by the EBA seems adequate, provided that the transmission of information between NCAs and the EBA register is subject to appropriate security measures and NCA Users perform strong customer authentication each time they access the register and upload information into it. And the option chosen, an automated transmission of information between applications appears technically feasible.
However, it still raises the question of how to ensure that NCAs update timely the central EBA register. Provisions setting a clear maximum timeframe for NCAs to update the central EBA register are missing in the document. Additionally, this automated communication does not avoid mismatches of information in databases of the EBA and NCA. This will create uncertainties and misunderstandings about the moment an AISP, PISP or PSP issuing card-based payment instruments can start operating or in situations where the TPP authorization/registration is totally or partially cancelled. Trust in payment services is essential, therefore the need of a real-time update procedure is of utmost importance when addressing fraudulent TPPs and avoiding damages to customers and ASPSPs alike.
If the system does not have a process for the instant transfer for information between the NCA registers and EBA register, the inclusion of an additional piece of data in the register is should be considered in order to minimize the impact of delays in information propagation and the potential negative consequences for payment users. The register should include the date of entry into force of authorization/registration for AISP, PISP and PSP issuing card-based payment instruments. This additional data would allow NCA to notify scheduled modifications within the standard automated communication procedure.
Furthermore, the EBA and NCAs should establish and follow a communication procedure like the one established in Article 6 of DIRECTIVE 98/26/EC on settlement finality in payment and securities settlement systems, i.e. the decision regarding changes to an authorization shall be notified to European and National Competent Authorities and forwarded without delay to any interested party, specially to Account Servicing Payment Service Providers. This is of utmost importance in situations where a TPP authorization is partially or completely cancelled.
Besides, clarifications are needed to understand how the re-load of the information will impact the availability of the register.
According to the PSD2, account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments have to identify themselves towards the account servicing payment service provider (generally the bank). Banks have to check not only the identity of other PSPs, but also that:
• The PSP is legally registered and authorized to provide the type of payment services for which it is accessing the bank, and
• The authorization to provide payment services has not been suspended or revoked.
Regarding the identification of PSPs, Art. 29 of the proposed EBA Draft RTS on strong customer authentication and secure communication mandates the use of qualified certificates for electronic seals or for website authentication compliant with the e-IDAs Regulation. These types of certificates will include two additional specific attributes for PSD2 purposes. EBA should foster that these certificates with additional attributes are standardized as soon as possible to ensure that the Directive can be implemented timely by Payment Services Providers.
In order to comply with the requirements established in the RTS on SCA and CSC, an ASPSP has to check with the Qualified Trust Service Provider (QTSP) that the certificate that the TPP holds is valid and also that the TPP is (still) authorized to perform the service it is requesting.
When a PSP is accessing a bank’s API to request access to provide a payment service, the key point is that those checks mentioned above (identity, authorization/register and validity of authorization/register) have to be performed online. According to PSD2, banks cannot allow any PSP to access client’s account data unless those checks have been carried out and the results are positive.
The EBA proposal will set up a central register that may be useful for informational purposes, but it will not provide the operational requirements that PSPs need. For this reason, the banking sector strongly suggests the EBA to reconsider its approach - that would undoubtedly comply with the PSD2 mandate but it would not answer to the actual needs of PSPs for the development of payment services - and evaluate the possibility of setting up a pan-European central register that provides not only a web service query functionality, but also an interface with an automated, online machine-readable query functionality available 24x7x365. It should include not only “non-bank” PSPs information, but also data of credit institutions that provide AIS or PIS services. Although PSD2 does not mandate such a central, automated register, the EBA would be missing the chance to deliver a key element for the development of payment services in a secure manner, which is the ultimate goal of the directive.
Without such a central, automated register, PSPs will be obliged to refer to other sources of information and ultimately to the national register of the PSP that is requesting access in order to perform the necessary checks. This implies having to connect potentially with 28 different national registers. This solution poses serious risks to the implementation of the PSD2 and higher costs for the whole market due to:
• PSPs national registers actually contain different pieces of data in different formats and languages. Fragmentation will oblige all PSPs to carry out technological projects to adapt to each register and gain expertise on how each of them works.
• Access to each national register would be done according to national requirements, which may mandate its own authentication method. In that case PSPs may have to obtain identification credentials that may not be accepted in other Member States.
• While some national registers may provide an automated, online query functionality, others do not.
• There is no higher authority over all national registers empowered to design, plan and implement in a coordinated fashion the adaptation of the registers to PSD2 operational requirements. There is no guarantee that all national registers will provide an automated, online query functionality by the time the EBA RTS on strong customer authentication become applicable.
By contrast, a pan-European central register of PSPs would foster harmonization of the pieces of data on the authorization/register of PSPs and of their branches and/or agents in other Host Member States. It should provide an automated and online machine readable query functionality, that would enable all types of PSPs to check securely in real time the information and status of other PSPs. The central register would be subject to a design and implementation project coordinated at European level, with certainty on the final implementation date. In this manner, the central register would be a valuable service and would ease the compliance with RTS on SCA and CSC, because all the information to be checked would be accessible through a query to only two interfaces - the one provided by the EBA Register and the one offered by the Qualified Trust Service Provider.
A possible way to achieve this type of central register could be the EBA to consider a partnership with the banking industry, some initiatives already being envisaged. This joint initiative could potentially address EBA concerns around cost for building up automated and digital functionalities for the EBA register.
If the EBA proposal under consultation is retained:
• Public users should be, at least, entitled to rely on machine engine for the search and for performing the data download automatically (e.g. one URL to download & export). This would allow ASPSPs to build a mirror database of the register. In this way ASPSPs could check the requests of the PSPs against their mirror database.
• Once the information is validated, the register should publish on its webpage notices of the amendments made in order that public users are timely informed of any changes.
Not including data of all PSPs in the EBA Register makes difficult to meet the objective of “ensuring high level of consumer protection in the European Union by providing for easy public access to the list of all natural and legal persons providing payment services” as well as the authentication of credit institutions acting as AISPs or PISPs. To check if a company offering account information (AIS) or payment initiation services (PIS), not only ASPSPs but also payment users and PSPs will have to be aware of the existence of a wide range of data sources and know which one is applicable to check if a specific provider offering this kind of services is authorized to do so.
Customers would be better protected and communication among PSP would be more secure if all PSPs legally entitled to offer Account Information and Payment Initiation Services were listed in the EBA Central Register. This would guarantee that information on ASPSPs is available to the public in the same way as to any PISPs, AISPs and PSPs issuing card-based payment instruments.
The banking sector would like to access only one central point containing all the relevant information. Otherwise, the proposed solution will force ASPSPs to consult national registers and design and implement an automated system to do so. But they could also check information on non-bank PSPs and, as a result, they would not need to access the central EBA register.
Moreover, the EBA can create this central register without imposing new obligations on NCAs. For example, it could simply leverage the information included in the EBA register of credit institutions created in accordance to the EBA Board decision EBA BoS 2013 432.
National identifiers of PSPs should be harmonized as much as possible.
Concerning the search results (Art. 19 of the proposed draft RTS), the national identifier of the natural or legal person might not be enough for identification purposes, considering that they can use various commercial names different to the legal name. Related to this, as per defined in art.2 b) of the RTS national identifier” – means a unique means of identification of natural and legal persons in the national public registers. This seems to be more a legal identifier and if it is so, the “national registry code” should be also included. Both elements should be part of the search criteria and displayed as search results (art.19).
● contact details - to ensure a quality service for payments service users. Contact details of each PSP in the register are essential in case of disputes (as well as in case of technical problems), because PSPs involved in a disputed payment transaction will have to contact each other to solve it and determine who is liable (Art. 92 PSD2). They are a necessary tool to comply with the directive and they should be available in national registers as well as in the central, pan-European one.
In the end, payment users will be the most affected party in case the management of claims related to new PSD2 services are unnecessarily delayed.
● date of authorisation/registration - this will prevent uncertainty or misunderstandings regarding the status of a PSP.
● country where the PSP can offer the service(s) - this will allow a user to retrieve a list with the details of every PSP offering PIS, AIS and/or issuing card-based payment instruments in just one interaction.
● the national identifier of the PSP in the Host Member where the PSP is offering or planning to offer services - this will allow a user to easily identify and cross reference information regarding PSPs.
● the payment services for which the payment institution is authorised or for which the natural or legal person has been registered (Art. 14.2 PSD2) and the payment services that the entity/institution is providing in a Host country.
Another point that should be clarified is the registration of branches of payment institutions that are established in a different State to their headquarters and that do not have separate legal entity. Although in paragraph 41 it is stated that these branches would not be included in the register, they seem to be included in the article 3 of draft ITS. Furthermore, they are usually registered in the host national register and have a national identifier in the respective national public register where they operate.
Finally, there remains some ambiguity in the industry about the differences between the process for authorization and registration. It should be made clear that all NCAs will be expected to perform comprehensive due diligence on the information provided as part of an application for registration, just as they would for an application for authorisation.
The EBA consultation paper would have been easier to understand if it had included examples on how different types of PSPs would be registered in the central register.
Question 1: Do you agree with the option the EBA has chosen regarding the transmission of information by NCAs to the EBA? If not, please provide your reasoning
General commentsAlthough EBA with the proposal under consultation would comply with PSD2 mandate for the elaboration of the RTS and ITS, it does not include banks in the central register (justified by the literal mandate of the PSD2 – paragraph 33 -Q4). This of course limits the register to a restricted number of potential TPPs, without including all relevant entities allowed to provide the regulated services described in Annex I of the PSD2 directive.
PSD2 requires ASPSPs to open the infrastructure to third party providers (TPPs). To ensure that only authorised TPPs (banks included) access the customer’s payment account, ASPSPs (mainly banks) should be able to check promptly the information about the TPPs from a reliable, legally-binding, real-time updated and consolidated register. To identify themselves, PSD2 also requires TPPs to obtain a qualified certificate for electronic seals from a Qualified Trust Service Provider (QTSP) dully authorized.
A reliable, legally-binding, real-time updated and consolidated register at EU level is required to ensure that all relevant parties can verify the appropriate information about any type of Payment Services Provider, acting as TPP. Due to the mandate conferred to it in the PSD2, the EBA is in an ideal position to develop a pan-European register with complete information on Payment Services Providers and which offers, as well adequate functionalities for operational purposes. Such a central register would fulfill all these needs.
If the current proposal, excluding banks and with limited functionalities, remains as it is, the register will not answer to the operational needs that ASPSPs (banks) face to identify TPPs that request access to clients’ accounts.
Consequently, ASPSPs would always have to refer to other sources of information, i.e. national registers, to access the most updated information. This greatly diminishes the utility and value of the EBA central register and, as a consequence, not only banks but also other types of Payment Services Providers would not use it.
Question 1: The option chosen by the EBA seems adequate, provided that the transmission of information between NCAs and the EBA register is subject to appropriate security measures and NCA Users perform strong customer authentication each time they access the register and upload information into it. And the option chosen, an automated transmission of information between applications appears technically feasible.
However, it still raises the question of how to ensure that NCAs update timely the central EBA register. Provisions setting a clear maximum timeframe for NCAs to update the central EBA register are missing in the document. Additionally, this automated communication does not avoid mismatches of information in databases of the EBA and NCA. This will create uncertainties and misunderstandings about the moment an AISP, PISP or PSP issuing card-based payment instruments can start operating or in situations where the TPP authorization/registration is totally or partially cancelled. Trust in payment services is essential, therefore the need of a real-time update procedure is of utmost importance when addressing fraudulent TPPs and avoiding damages to customers and ASPSPs alike.
If the system does not have a process for the instant transfer for information between the NCA registers and EBA register, the inclusion of an additional piece of data in the register is should be considered in order to minimize the impact of delays in information propagation and the potential negative consequences for payment users. The register should include the date of entry into force of authorization/registration for AISP, PISP and PSP issuing card-based payment instruments. This additional data would allow NCA to notify scheduled modifications within the standard automated communication procedure.
Furthermore, the EBA and NCAs should establish and follow a communication procedure like the one established in Article 6 of DIRECTIVE 98/26/EC on settlement finality in payment and securities settlement systems, i.e. the decision regarding changes to an authorization shall be notified to European and National Competent Authorities and forwarded without delay to any interested party, specially to Account Servicing Payment Service Providers. This is of utmost importance in situations where a TPP authorization is partially or completely cancelled.
Besides, clarifications are needed to understand how the re-load of the information will impact the availability of the register.
Question 2: Do you agree with the proposed criteria and functionalities related to the search of information in the EBA Register? If not, please provide your reasoning.
From an operational and functional point of view, the proposal falls very short of what PSPs would require from a central, Pan-European register.According to the PSD2, account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments have to identify themselves towards the account servicing payment service provider (generally the bank). Banks have to check not only the identity of other PSPs, but also that:
• The PSP is legally registered and authorized to provide the type of payment services for which it is accessing the bank, and
• The authorization to provide payment services has not been suspended or revoked.
Regarding the identification of PSPs, Art. 29 of the proposed EBA Draft RTS on strong customer authentication and secure communication mandates the use of qualified certificates for electronic seals or for website authentication compliant with the e-IDAs Regulation. These types of certificates will include two additional specific attributes for PSD2 purposes. EBA should foster that these certificates with additional attributes are standardized as soon as possible to ensure that the Directive can be implemented timely by Payment Services Providers.
In order to comply with the requirements established in the RTS on SCA and CSC, an ASPSP has to check with the Qualified Trust Service Provider (QTSP) that the certificate that the TPP holds is valid and also that the TPP is (still) authorized to perform the service it is requesting.
When a PSP is accessing a bank’s API to request access to provide a payment service, the key point is that those checks mentioned above (identity, authorization/register and validity of authorization/register) have to be performed online. According to PSD2, banks cannot allow any PSP to access client’s account data unless those checks have been carried out and the results are positive.
The EBA proposal will set up a central register that may be useful for informational purposes, but it will not provide the operational requirements that PSPs need. For this reason, the banking sector strongly suggests the EBA to reconsider its approach - that would undoubtedly comply with the PSD2 mandate but it would not answer to the actual needs of PSPs for the development of payment services - and evaluate the possibility of setting up a pan-European central register that provides not only a web service query functionality, but also an interface with an automated, online machine-readable query functionality available 24x7x365. It should include not only “non-bank” PSPs information, but also data of credit institutions that provide AIS or PIS services. Although PSD2 does not mandate such a central, automated register, the EBA would be missing the chance to deliver a key element for the development of payment services in a secure manner, which is the ultimate goal of the directive.
Without such a central, automated register, PSPs will be obliged to refer to other sources of information and ultimately to the national register of the PSP that is requesting access in order to perform the necessary checks. This implies having to connect potentially with 28 different national registers. This solution poses serious risks to the implementation of the PSD2 and higher costs for the whole market due to:
• PSPs national registers actually contain different pieces of data in different formats and languages. Fragmentation will oblige all PSPs to carry out technological projects to adapt to each register and gain expertise on how each of them works.
• Access to each national register would be done according to national requirements, which may mandate its own authentication method. In that case PSPs may have to obtain identification credentials that may not be accepted in other Member States.
• While some national registers may provide an automated, online query functionality, others do not.
• There is no higher authority over all national registers empowered to design, plan and implement in a coordinated fashion the adaptation of the registers to PSD2 operational requirements. There is no guarantee that all national registers will provide an automated, online query functionality by the time the EBA RTS on strong customer authentication become applicable.
By contrast, a pan-European central register of PSPs would foster harmonization of the pieces of data on the authorization/register of PSPs and of their branches and/or agents in other Host Member States. It should provide an automated and online machine readable query functionality, that would enable all types of PSPs to check securely in real time the information and status of other PSPs. The central register would be subject to a design and implementation project coordinated at European level, with certainty on the final implementation date. In this manner, the central register would be a valuable service and would ease the compliance with RTS on SCA and CSC, because all the information to be checked would be accessible through a query to only two interfaces - the one provided by the EBA Register and the one offered by the Qualified Trust Service Provider.
A possible way to achieve this type of central register could be the EBA to consider a partnership with the banking industry, some initiatives already being envisaged. This joint initiative could potentially address EBA concerns around cost for building up automated and digital functionalities for the EBA register.
If the EBA proposal under consultation is retained:
• Public users should be, at least, entitled to rely on machine engine for the search and for performing the data download automatically (e.g. one URL to download & export). This would allow ASPSPs to build a mirror database of the register. In this way ASPSPs could check the requests of the PSPs against their mirror database.
• Once the information is validated, the register should publish on its webpage notices of the amendments made in order that public users are timely informed of any changes.
Question 3: Do you agree with the proposed non-functional requirements related to the operation of the EBA Register? If not, please provide your reasoning.
Yes.Question 4: Do you agree with the way how the EBA proposes to fulfil the mandate in terms of the natural and legal persons that will need to be included in the future EBA Register? If not, please provide your reasoning.
Although with this proposal EBA would seem to fulfil its mandate, the EBA central register would only be of value if it contained all the relevant information on authorized and registered PSPs in the EU allowed provide payment services under the PSD2.Not including data of all PSPs in the EBA Register makes difficult to meet the objective of “ensuring high level of consumer protection in the European Union by providing for easy public access to the list of all natural and legal persons providing payment services” as well as the authentication of credit institutions acting as AISPs or PISPs. To check if a company offering account information (AIS) or payment initiation services (PIS), not only ASPSPs but also payment users and PSPs will have to be aware of the existence of a wide range of data sources and know which one is applicable to check if a specific provider offering this kind of services is authorized to do so.
Customers would be better protected and communication among PSP would be more secure if all PSPs legally entitled to offer Account Information and Payment Initiation Services were listed in the EBA Central Register. This would guarantee that information on ASPSPs is available to the public in the same way as to any PISPs, AISPs and PSPs issuing card-based payment instruments.
The banking sector would like to access only one central point containing all the relevant information. Otherwise, the proposed solution will force ASPSPs to consult national registers and design and implement an automated system to do so. But they could also check information on non-bank PSPs and, as a result, they would not need to access the central EBA register.
Moreover, the EBA can create this central register without imposing new obligations on NCAs. For example, it could simply leverage the information included in the EBA register of credit institutions created in accordance to the EBA Board decision EBA BoS 2013 432.
Question 5: Do you agree with the option the EBA has chosen regarding the detail of information for the natural and legal persons that will be contained in the future EBA Register? If not, please provide your reasoning.
As previously said, the EBA register should permit the identification of any PSP offering AIS or PIS or issuing card-based payment instruments. In this sense, providing more detailed information could smooth the functioning of the new services regulated by PSD2.National identifiers of PSPs should be harmonized as much as possible.
Concerning the search results (Art. 19 of the proposed draft RTS), the national identifier of the natural or legal person might not be enough for identification purposes, considering that they can use various commercial names different to the legal name. Related to this, as per defined in art.2 b) of the RTS national identifier” – means a unique means of identification of natural and legal persons in the national public registers. This seems to be more a legal identifier and if it is so, the “national registry code” should be also included. Both elements should be part of the search criteria and displayed as search results (art.19).
Question 6: Do you agree with the EBA that the contact details, dates of authorisation/registration, and the services provided in the Host Member States, should not be included in the EBA register? If not, please provide your reasoning, which should also include the benefits for payment service users and other interested parties of having this information in the EBA Register.
No, the EBA register should include all those items since there is value to payment service users and the wider payment industry in including:● contact details - to ensure a quality service for payments service users. Contact details of each PSP in the register are essential in case of disputes (as well as in case of technical problems), because PSPs involved in a disputed payment transaction will have to contact each other to solve it and determine who is liable (Art. 92 PSD2). They are a necessary tool to comply with the directive and they should be available in national registers as well as in the central, pan-European one.
In the end, payment users will be the most affected party in case the management of claims related to new PSD2 services are unnecessarily delayed.
● date of authorisation/registration - this will prevent uncertainty or misunderstandings regarding the status of a PSP.
● country where the PSP can offer the service(s) - this will allow a user to retrieve a list with the details of every PSP offering PIS, AIS and/or issuing card-based payment instruments in just one interaction.
● the national identifier of the PSP in the Host Member where the PSP is offering or planning to offer services - this will allow a user to easily identify and cross reference information regarding PSPs.
● the payment services for which the payment institution is authorised or for which the natural or legal person has been registered (Art. 14.2 PSD2) and the payment services that the entity/institution is providing in a Host country.
Another point that should be clarified is the registration of branches of payment institutions that are established in a different State to their headquarters and that do not have separate legal entity. Although in paragraph 41 it is stated that these branches would not be included in the register, they seem to be included in the article 3 of draft ITS. Furthermore, they are usually registered in the host national register and have a national identifier in the respective national public register where they operate.
Finally, there remains some ambiguity in the industry about the differences between the process for authorization and registration. It should be made clear that all NCAs will be expected to perform comprehensive due diligence on the information provided as part of an application for registration, just as they would for an application for authorisation.
The EBA consultation paper would have been easier to understand if it had included examples on how different types of PSPs would be registered in the central register.