Response to consultation on the Technical Standards on the EBA Register under PSD2
Go back
· The upload of new information by a NCA into the EBA register does not affect nega-tively the availability of the EBA register and its content for accesses by ASPSP.
· Information about the authorisation of PSP contained in the EBA register is reliable and does not deviate from the information contained in the local register of the NCA.
· Information about the authorisation of PSP contained in the EBA register is up to date. In particular the withdrawal of an authorisation for a PSP by the NCA of its home Member State has to be indicated by the EBA register without any delay.
These are important requirements since PSP need qualified certificates to identify themselves at an interface provided by an ASPSP. Trust service provider issuing these qualified certifi-cates to PSP need the information of the EBA register to decide about issuance and revoca-tion of certificates. For this the EBA register will be one of the major anchor for the security of the identification of PSP at the interfaces of the ASPSP.
The EBA register can be used for the indicated operational purposes only if the content of the register is reliable, legally binding and up to date. Especially if a registration or certification will be revoked, ASPSPs and Trust service provider need reliable information. In this case a real time register is essential.
For the purposes of ASPSP and other organisations the possibility to download the full content automatically is essential. If only manual processes exists costs and time for retrieving neces-sary information from the EBA register will increase. In addition manual processes will in-crease risks due to the human error factor.
From our point of view the support of automatic and electronically executable processes to search the information of the EBA register would be the best solution. However, we under-stand EBA concerns that building up a register supporting this functionality could be expen-sive. For this reason we suggest to support, as a second best option, the automatic download of the content of the EBA register. ASPSP and other organisations could after downloading the content of the register implement their own search and evaluation processes. To support the evaluation of the content downloaded from the EBA register, we suggest the following properties to be implemented by the EBA register:
· As result of a download the content of the EBA register should be provided as an XML-formatted file. As alternative a csv (comma separated values) formatted file would be acceptable.
· A register wide unique identifier should be used to identify each PSP within the regis-ter. This identifier could consist for example of a country code followed by the registra-tion number given by the local authority of the Home Member State to the PSP as re-sult of its registration.
By following this approach a good balance between the needs of the different parties can be reached.
· The EBA register should be updated without any delay (real-time) by any update of the local registers of the NCA.
· The EBA register should be available 24 hours 7 days a week for an automatic down-load of its content.
The requirements related to the EBA register should be reviewed on a yearly basis.
We understand the limitation of the mandate of EBA concerning the EBA register as de-scribed in points 33 to 35. But again we would like to stress the fact that by these decisions the task of qualified trust service provider to verify the authorisation of an AISP, PIISP or PISP before issuing a qualified certificate (according to the RTS on SCA and CSC) is almost not practicable at acceptable costs for the certificates. By this a gap at the anchor of the se-curity of the access to account interfaces demanded by PSD2 exist which has to be closed by the time these interfaces of the ASPSP will get operational.
Passporting information need to be included in the register as well, otherwise ASPSPs and Trust service provider have to contact all national registers.
· contact details,
· dates of authorisation/registration,
· services provided in any Host Member State,
· identifier unique for the complete register·
will be included in the EBA register. This information is needed by ASPSP to resolve dispute cases efficiently and by trust service provider to issue certificates to PSP.
In addition the date of the withdrawal of an authorisation (if available) shall be included in the EBA register.
Question 1: Do you agree with the option the EBA has chosen regarding the transmission of information by NCAs to the EBA? If not, please provide your reasoning
GBIC is not concerned about the technical procedures how NCA and EBA exchange infor-mation for maintaining the EBA register, as long as the quality of the EBA register complies with the following requirements.· The upload of new information by a NCA into the EBA register does not affect nega-tively the availability of the EBA register and its content for accesses by ASPSP.
· Information about the authorisation of PSP contained in the EBA register is reliable and does not deviate from the information contained in the local register of the NCA.
· Information about the authorisation of PSP contained in the EBA register is up to date. In particular the withdrawal of an authorisation for a PSP by the NCA of its home Member State has to be indicated by the EBA register without any delay.
These are important requirements since PSP need qualified certificates to identify themselves at an interface provided by an ASPSP. Trust service provider issuing these qualified certifi-cates to PSP need the information of the EBA register to decide about issuance and revoca-tion of certificates. For this the EBA register will be one of the major anchor for the security of the identification of PSP at the interfaces of the ASPSP.
The EBA register can be used for the indicated operational purposes only if the content of the register is reliable, legally binding and up to date. Especially if a registration or certification will be revoked, ASPSPs and Trust service provider need reliable information. In this case a real time register is essential.
Question 2: Do you agree with the proposed criteria and functionalities related to the search of information in the EBA Register? If not, please provide your reasoning.
We agree with the search criteria for purposes of consumer requests.For the purposes of ASPSP and other organisations the possibility to download the full content automatically is essential. If only manual processes exists costs and time for retrieving neces-sary information from the EBA register will increase. In addition manual processes will in-crease risks due to the human error factor.
From our point of view the support of automatic and electronically executable processes to search the information of the EBA register would be the best solution. However, we under-stand EBA concerns that building up a register supporting this functionality could be expen-sive. For this reason we suggest to support, as a second best option, the automatic download of the content of the EBA register. ASPSP and other organisations could after downloading the content of the register implement their own search and evaluation processes. To support the evaluation of the content downloaded from the EBA register, we suggest the following properties to be implemented by the EBA register:
· As result of a download the content of the EBA register should be provided as an XML-formatted file. As alternative a csv (comma separated values) formatted file would be acceptable.
· A register wide unique identifier should be used to identify each PSP within the regis-ter. This identifier could consist for example of a country code followed by the registra-tion number given by the local authority of the Home Member State to the PSP as re-sult of its registration.
By following this approach a good balance between the needs of the different parties can be reached.
Question 3: Do you agree with the proposed non-functional requirements related to the operation of the EBA Register? If not, please provide your reasoning.
We agree with the non-functional requirements. In addition the following points should be add-ed:· The EBA register should be updated without any delay (real-time) by any update of the local registers of the NCA.
· The EBA register should be available 24 hours 7 days a week for an automatic down-load of its content.
The requirements related to the EBA register should be reviewed on a yearly basis.
Question 4: Do you agree with the way how the EBA proposes to fulfil the mandate in terms of the natural and legal persons that will need to be included in the future EBA Register? If not, please provide your reasoning.
We suggest to operate and maintain one single register that will incorporate also credit institu-tions (based on already existing registers), since credit institutions can also provide payment initiation services and account information services.We understand the limitation of the mandate of EBA concerning the EBA register as de-scribed in points 33 to 35. But again we would like to stress the fact that by these decisions the task of qualified trust service provider to verify the authorisation of an AISP, PIISP or PISP before issuing a qualified certificate (according to the RTS on SCA and CSC) is almost not practicable at acceptable costs for the certificates. By this a gap at the anchor of the se-curity of the access to account interfaces demanded by PSD2 exist which has to be closed by the time these interfaces of the ASPSP will get operational.
Passporting information need to be included in the register as well, otherwise ASPSPs and Trust service provider have to contact all national registers.
Question 5: Do you agree with the option the EBA has chosen regarding the detail of information for the natural and legal persons that will be contained in the future EBA Register? If not, please provide your reasoning.
No comments.Question 6: Do you agree with the EBA that the contact details, dates of authorisation/registration, and the services provided in the Host Member States, should not be included in the EBA register? If not, please provide your reasoning, which should also include the benefits for payment service users and other interested parties of having this information in the EBA Register.
We strongly recommend that the· contact details,
· dates of authorisation/registration,
· services provided in any Host Member State,
· identifier unique for the complete register·
will be included in the EBA register. This information is needed by ASPSP to resolve dispute cases efficiently and by trust service provider to issue certificates to PSP.
In addition the date of the withdrawal of an authorisation (if available) shall be included in the EBA register.