Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2
Go back
- In general, the DBA agrees with the requirement that competent authorities require undertakings to review.
- However, a recalculation annually seems to be arbitrary on the basis of general insurance renewals, and in the case of AISPs or PISPs a more frequent review is required preferable on a quarterly basis to ensure consumers are at all times protected as well as avoiding unintended additional allocation of risk capital for the banks.
- Risk factors are relevant on an overall level.
- But the tiers, indicative leveling and amounts assigned seem very arbitrary and far from insurance actuarial standards.
- The focus should instead be on a list of criteria directed at the insurance coverage (i.e. min. insurance sum, geographical scope, limitation on valid exceptions, procedural guidelines regarding handling of claims etc.), type and rating of insurance provider.
- The DBA would also recommend that either the basis for the established tiers (2,5% 5% 10% 25% and 40% ) is elaborated or that the EBA leaves it up to the insurance provider to grade the various risk according to their well tested models.
- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
- Additionally, if the AISP has a breach of data which led to acts of fraud the liability could be significant. Under the General Data Protection Regulation (GDPR) Regulation EU 2016/679, the fines for a data breach will increase dramatically; a com-pany could be fined up to 4% of global annual turnover or EUR 20 million, whichever is greater. The indemnity insurance for AISPs should be able to cover this eventuality in the case of a very serious data breach.
- However, in doing so it is crucial that the expertise of risk assess-ment and the skill of underwriting complex risks remains with the insurance industry and is not erroneously imposed on the competent authorities in each of the member states.
- Safeguarding the necessary level of minimum monetary amounts under PSD2 could instead be constructed through a more general list of demands to the insurance provider, the coverage of the necessary insurance policy as well as mirroring the minimum threshold acceptable.
- We generally find that the minimum amounts do not correspond to the minimum insurance coverage available to the financial sector when it comes to PI-coverage. Acknowledging that AISPs and PISPs are not FI’s and that they might have a smaller business range setting the minimum threshold at EUR 50,000 seems far too low considering the potential fraud possibilities.
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
- The Danish Bankers Association (DBA) welcomes the opportunity presented by the EBA to comment on the Consultation on the Guidelines- In general, the DBA agrees with the requirement that competent authorities require undertakings to review.
- However, a recalculation annually seems to be arbitrary on the basis of general insurance renewals, and in the case of AISPs or PISPs a more frequent review is required preferable on a quarterly basis to ensure consumers are at all times protected as well as avoiding unintended additional allocation of risk capital for the banks.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning
- We do not agree with the formula.- Risk factors are relevant on an overall level.
- But the tiers, indicative leveling and amounts assigned seem very arbitrary and far from insurance actuarial standards.
- The focus should instead be on a list of criteria directed at the insurance coverage (i.e. min. insurance sum, geographical scope, limitation on valid exceptions, procedural guidelines regarding handling of claims etc.), type and rating of insurance provider.
- The DBA would also recommend that either the basis for the established tiers (2,5% 5% 10% 25% and 40% ) is elaborated or that the EBA leaves it up to the insurance provider to grade the various risk according to their well tested models.
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
- Yes. We agree to the risk factors which should be looked upon and taken into account by the FSA when evaluating the entity, their activity and the corresponding insurance policy taken out.- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
- Yes. We agree to the risk factors which should be looked upon and taken into account by the FSA when evaluating the entity, their activity and the corresponding insurance policy taken out.- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning
- Yes. We agree to the risk factors which should be looked upon and taken into account by the FSA when evaluating the entity, their activity and the corresponding insurance policy taken out.- However, we do not agree with the calculations as they seem arbitrary and far too generic without sufficient use of actuarial principles.
Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
- Yes. See above.- Additionally, if the AISP has a breach of data which led to acts of fraud the liability could be significant. Under the General Data Protection Regulation (GDPR) Regulation EU 2016/679, the fines for a data breach will increase dramatically; a com-pany could be fined up to 4% of global annual turnover or EUR 20 million, whichever is greater. The indemnity insurance for AISPs should be able to cover this eventuality in the case of a very serious data breach.
Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
- From a holistic viewpoint the DBA commends the EBA for acknowledging the need to ensure a level playing field through imposing a demand for financial assurance and capital adequacy by requiring a PI-insurance or comparable guarantee to be taken out by any AISP or PISP wishing to register within the EU.- However, in doing so it is crucial that the expertise of risk assess-ment and the skill of underwriting complex risks remains with the insurance industry and is not erroneously imposed on the competent authorities in each of the member states.
- Safeguarding the necessary level of minimum monetary amounts under PSD2 could instead be constructed through a more general list of demands to the insurance provider, the coverage of the necessary insurance policy as well as mirroring the minimum threshold acceptable.
- We generally find that the minimum amounts do not correspond to the minimum insurance coverage available to the financial sector when it comes to PI-coverage. Acknowledging that AISPs and PISPs are not FI’s and that they might have a smaller business range setting the minimum threshold at EUR 50,000 seems far too low considering the potential fraud possibilities.