One of the aims of PSD2 is to enhance cooperation between competent authorities in home and host Member States when payment institutions would like to provide payment services outside their home Member States. We understand the goal of the proposed cooperation framework is to ensure consistent and efficient supervision of payment institutions operating across borders by specifying the procedures for cooperation and exchange of information between competent authorities. We fully support the Commission’s aims and goals in these regards, and fully support the Commission’s endeavours to support the safe and secure provision of these services across Member States.
In this respect, SWIFT takes the opportunity provided by this consultation to suggest that in order to ensure the seamless cross-border application of the regulation additional information should be exchanged between home and host Member States. More specifically we believe that where competent authorities determine that a payment service provider’s “corporate” processes or protocols guarantee levels of security that are at least equivalent to those required under PSD2, their determinations should be passed on to competent authorities in the payment service provider’s host Member States.
We have elaborated on this point in further detail below.
Article 11 of Annex 6 of the draft RTS deals with cooperation between competent authorities in home and host Member States in the supervision of payment institutions operating on a cross-border basis. Article 29 (6) of PSD2 meanwhile provides for the communication of additional information to host country competent authorities regarding their monitoring for compliance with the provisions of national law transposing, among others, Title IV of the PSD2. Article 97 of Title IV, PSD2 prescribes the requirement for strong customer authentication. We understand therefore that the conformity with the requirement set out in PSD2 also falls in the scope of the information to be provided to host Member States’ competent authorities.
According to the final text of Article 17 of the RTS it is permissible for Payment Service Providers (PSPs) not to apply strong customer authentication if the dedicated payment processes or protocols are only made available to payers who are not consumers, if and when competent authorities are satisfied that this will guarantee levels of security that are at least equivalent to those required under PSD2.
In other words, in Article 17, the Commission clearly drafted an exemption to the application of the requirement for strong customer authentication subject of course to the decision of Member States’ competent authorities. Article 17 does not, however, define how national competent authorities will make their determinations on this clear to PSPs. This should be clarified.
Furthermore we believe that for the sake of transparency, interoperability and in accordance with requirements set out in by Article 29 (6) PSD2, the exemption of the requirement for strong customer authentication should be communicated by home Member States authorities to the competent authorities in the host Member States in which PSPs use or wish to use such protocols or processes.
We acknowledge that the actual authorisation is the sole right of the competent authority in each Member State, including any host Member State in which a PSP wishes to provide services. Nevertheless, in the interests of efficiency and fairness, we believe it vital that home Member States’ decisions be shared with competent authorities in host Member States.
Introducing a requirement to share any such decision would improve communication between competent authorities and would be in line with all the requirements prescribed under PSD2 and the Commission Delegated Acts. Moreover, it will facilitate the provision of cross-border services by ensuring the provision of complete information.