ESBG welcomes the opportunity to review and comment on this draft Regulatory Technical Standards and Draft Implementing Technical Standards. Before giving a specific answer to this Question 1 ESBG wants to provide some generic observations here as the response form does not allow to submit generic comments and observations.
Under PSD2, Account Servicing Payment Service Providers (ASPSPs or banks) are required to give licensed Third Party Payment Providers (TPPs) access to certain data, but before doing so ASPSPs need to be able to verify whether the TPP is dully licensed to do so, and therefore a relia-ble, legally-binding, real-time updated, consolidated and single source of truth is required. To that end, ESBG welcomes the fact that the PSD2 provides that EBA shall develop, operate and main-tain an electronic central register that contains information as notified by competent authorities, as ESBG believes this central register should be able to meet the requirements as outlined above. Having such central register will avoid that ASPSPs will have to check various registers at various competent authorities in order to assess whether a TPP has the proper licence to operate. A central register that can be considered the single source of truth put requirements on the way this central register is being kept up to date. Our responses to the various questions in this consultation docu-ment have been drafted in line with this.
In answer to EBA’s first question, it goes without saying that ESBG cannot agree with the option chosen. Having the above in mind, basic requirements for such single source of truth are:
1. That data upload to the EBA Register by the competent authorities should be automated; and
2. That the EBA Register should be updated with changes in the register of the competent authorities automatically and in real time; and
3. That the EBA Register should be machine readable with separate interface.
EBA data validation and the checking of the service providers should be automated for proper operation. It seems acceptable to compound two solutions: daily data base update and immediate manual update in certain cases like disabling a TPP, set back the TPP status to authorized, and other real-time events that have an impact on whether the ASPSP is allowed to give the TPP ac-cess to certain information or not.
Regardless of the target audience, Payment Services Users (PSUs) who want to assess whether they are dealing with a genuine TPP, or ASPSPs who want to assess whether the TPP requesting access is properly licensed to do so, it is of the essence that these users only have to consult one central register instead of having to check a plethora of registers. For PSUs, it is of the essence that the information provided is understandable for them but nevertheless all relevant information on a TPP that is available in the register should be shown in response to a query. Besides, it may be necessary to make explicit to these users the notion of passporting and it might be easier to present to these users an overview of the jurisdictions for which the license of the TPP is valid.
For ASPSPs, as per the reasoning in Question 1, the register should be machine searchable and readable so TPP statuses can be verified in real-time.
ESBG proposes to extend the search criteria with the following:
• status of the natural or legal person (authorized/registered or withdrawn)
• date of authorization/registration
• expiry date of licence
• operational area
• the type of natural or legal person for payment institutions/ exempted payment institu-tions/ account information service providers/ electronic money institutions/ exempted electronic money institution
With respect to availability, the EBA Register should be updated in real-time, should be accessible continuously and automatic responses are required at all times. To achieve this, the non-functional requirements should be defined further and these should include the necessary measures to reach 24/7 availability, for example in terms of required service level agreements, contingency plans and related. A nice to have would be a real-time alerting system to interested ASPSPs in case TPP li-censes are being withdrawn.
ESBG is of the opinion that it is of the utmost importance that the EBA Register contains all li-censed institutions and that the EBA Register remains not limited to a subset of it. A proper single source of truth, as argued above, should contain information on Credit Institutions as well as on PISPs and CISPs, although not currently mandated under Article 14(1) of the PSD2). ESBG is therefore of the opinion that EBA should design the EBA Register beyond the mandate as stipu-lated by PSD2 as per the four reasons below.
ESBG believes that this one single EBA Register should contain all licensed institutions as well as the various capacities in which these institutions could act. First, an ASPSP can also act as TPP in the capacity of PISP or AISP, even in member states where they are not passported as credit insti-tutions. This should be included in the EBA Register. Second, if the register does not contain the ASPSPs offering TPP services, these ASPSPs offering TPP services will have a disadvantage as other ASPSPs could have difficulties in verifying these particular TPPs – as such, there will be no level playing field between TPPs and ASPSPs offering TPP services, which is not acceptable. Third, ESBG believes that PSD2 requires mutual authentication between TPPs and ASPSs in terms of mutual identification and authentication, notification, information and implementation of security measures between all involved PSPs. This also argues for ASPSPs to be included in the EBA Register as well. Fourth and finally, the industry as a whole (Payment Service Providers and Payment Service Users) would benefit from having one single source of truth that contains all rele-vant information on licensed institutions.
ESBG suggests to add contact details or department details that can be contacted for the handling of investigations and other irregular issues.
In order to make the central register fit for operational purposes as described above, ESBG is of the view that additional information such as contact details, dates of authorisation/registration, and the services provided in the Host Member States should be included. Otherwise PSPs would need to access all NCA registers or use a third-party provider and hence the added value of a cen-tral register for PSPs would be limited. It is required to have a central, standardized database as in case of urgency ASPSPs need to contact the counterparty without undue delay. TPPs operating in different EU countries provide cross-border services do have to open different branches. Contact details of the branches will obviously differ from the ones of the parent, consequently these data should also be added to the Register.
ESBG agrees, but care should be taken over agents who do not provide the full range of services and reasons for their limitation/exclusion so that this is clear to the users of the register.