Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2
Go back
The approach creates a significant burden and respective expenses for all participants (policyholder, supervision, insurer). This is particularly true where the minimum monetary amount for each risk shall be adjusted on an annual basis or even more frequently. We believe that such an approach is not feasible at all. From the point of view of the insurers, it would only be feasible if only a very small number of potential policyholders were affected. The effort involved in calculating such an approximation is unreasonable, particularly since it merely appears to be accurate.
• risk profile
• type of activity, and
• size of activity
are crucial, inter alia, for the assessment of the risk covered. We are not able to assess whether these indicators are accurately evaluated and applied in the formula. This is particularly true for the interdependencies and correlations of the individual criteria.
In particular, it is questionable whether merely adding the amounts reflective of the described criteria represents an appropriate approach. There are serious doubts about this issue. Moreover, the liability risk to be covered also depends on some other indicators, which have not been taken into account in the formula. (cf. Q 6 in this context).
• value of indemnity claims received
• geographical location of the undertaking
• number of contracts applying for authorisation to provide PIS
• number of initiated payment transactions by undertakings applying for authorisation to provide PIS
• number of different payment accounts accessed by undertakings applying for registration to provide AIS
play a major role in determining the risk profile. Given the lack of experience in covering potential liabilities of PISPs and AISPs, we are unable to assess how these should be calculated.
The value of indemnity claims received is of particular importance to the assessment of the risk. However, not only the claims experience of twelve months is crucial for the risk assessment, but the claims experience over as long a period as possible. Even though no claims were made in the previous twelve months, for instance, it does not mean that no claims will be made in the future either (Guideline No. 5.3.). Particularly if such information is not available over an extended period of time, not only the claims experience of one service provider, but the claims experience of all comparable service providers would be an indicator that would have to be considered.
The geographical location of the undertaking might play a role in assessing the risk. It is not comprehensible whether the value of “50,000” actually corresponds to the risk. How has the value of EUR 50,000 been determined for the regional risk? In general, it can be assumed that the risk assessment is not the same for every non-European country, which might require a more tailored approach.
• technical design of the account interface to the account servicing payment service providers
• whether authentication information issued by the account servicing payment service provider will be disclosed to the third-party service provider
• specification of relevant obligations, for instance that the customer shall only enter authentication information on a website which has been agreed upon by the undertaking issuing the authentication information in advance
• individual security level of the IT infrastructure of the respective third-party service provider
The insurance industry calls for applying the highest security standards to the authentication procedure and the technical design of the interface when outlining the regulatory technical standards (RTS) to be established. A uniform interface standard, which allows for coherent, interoperable communication between third-party service providers and banks in Europe, is essential to assess the risk profile. Should the requirements be so general as to allow for the development of different standards on the market, an assessment of the liability risk/exposures and thus of the minimum monetary amount would be made much more difficult.
• The liability risk of PIS and AIS is generally considered to be high.
• Hacker attacks, in particular, might result in major losses, the extent of which cannot be predicted yet (e.g. mass initiation of payments by account servicing payment service providers, data being stolen), which might question the insurability.
• It is problematic that it is about a new risk for which no claims experience has been available so far. This also results in the fact that the risk assessment to be carried out by each insurer prior to assuming any risk is extremely difficult.
• Moreover, it is questionable whether there will be a significant number of AISPs and PISPs which will actually take out professional indemnity insurance in the future. A specific number of risks, however, will be necessary to guarantee a sufficient spreading of risks in the portfolio of the insurer.
If, in principle, coverage provided by insurance shall actually be possible against the background of the aforementioned issues, the insurer must be allowed to stipulate adequate limits of the guaranteed cover in the insurance contract:
• The minimum monetary amount must not be too high.
• It is absolutely essential to allow for the stipulation of an annual ceiling.
• Policyholders and insurers must be allowed to agree on an adequate deductible.
• It must be possible to stipulate a limitation of the run-off cover and to allow for the application of risk-relevant exclusions.
• In indemnity insurance, no insurance cover can be provided if the policyholder intentionally and knowingly violates any obligations.
There is an urgent need to promote the possibility of providing coverage through “some other comparable guarantee against liability” within the meaning of Article 5(2) and (3) of PSD II. The provision of guarantees or the assumption of liability by financially strong undertakings might be applied for this purpose.
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
It is a very unusual approach to calculate the minimum monetary amount for each policyholder by means of a formula. An abstract formula gives the impression that the minimum monetary amount of the PII or comparable guarantee can actually be calculated accurately and consistently. In practice, however, the minimum monetary amount calculated this way can deviate significantly from the actually required amount. A minimum monetary amount calculated on the basis of a formula can be an approximation at best.The approach creates a significant burden and respective expenses for all participants (policyholder, supervision, insurer). This is particularly true where the minimum monetary amount for each risk shall be adjusted on an annual basis or even more frequently. We believe that such an approach is not feasible at all. From the point of view of the insurers, it would only be feasible if only a very small number of potential policyholders were affected. The effort involved in calculating such an approximation is unreasonable, particularly since it merely appears to be accurate.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning
The criteria to be taken into account according to the formula, namely• risk profile
• type of activity, and
• size of activity
are crucial, inter alia, for the assessment of the risk covered. We are not able to assess whether these indicators are accurately evaluated and applied in the formula. This is particularly true for the interdependencies and correlations of the individual criteria.
In particular, it is questionable whether merely adding the amounts reflective of the described criteria represents an appropriate approach. There are serious doubts about this issue. Moreover, the liability risk to be covered also depends on some other indicators, which have not been taken into account in the formula. (cf. Q 6 in this context).
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
The following indicators• value of indemnity claims received
• geographical location of the undertaking
• number of contracts applying for authorisation to provide PIS
• number of initiated payment transactions by undertakings applying for authorisation to provide PIS
• number of different payment accounts accessed by undertakings applying for registration to provide AIS
play a major role in determining the risk profile. Given the lack of experience in covering potential liabilities of PISPs and AISPs, we are unable to assess how these should be calculated.
The value of indemnity claims received is of particular importance to the assessment of the risk. However, not only the claims experience of twelve months is crucial for the risk assessment, but the claims experience over as long a period as possible. Even though no claims were made in the previous twelve months, for instance, it does not mean that no claims will be made in the future either (Guideline No. 5.3.). Particularly if such information is not available over an extended period of time, not only the claims experience of one service provider, but the claims experience of all comparable service providers would be an indicator that would have to be considered.
The geographical location of the undertaking might play a role in assessing the risk. It is not comprehensible whether the value of “50,000” actually corresponds to the risk. How has the value of EUR 50,000 been determined for the regional risk? In general, it can be assumed that the risk assessment is not the same for every non-European country, which might require a more tailored approach.
Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
Whether the risk assessment for PIS should be higher than the risk assessment for AIS cannot be conclusively assessed due to a lack of experience in covering this risk. Whether the value of “50,000” for PIS and “0” for AIS is appropriate cannot be confirmed without respective risk experience.Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning
It cannot be evaluated whether the calculations are accurate without the respective risk experience.Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
The potential liabilities also depend on other indicators, including the following, in particular• technical design of the account interface to the account servicing payment service providers
• whether authentication information issued by the account servicing payment service provider will be disclosed to the third-party service provider
• specification of relevant obligations, for instance that the customer shall only enter authentication information on a website which has been agreed upon by the undertaking issuing the authentication information in advance
• individual security level of the IT infrastructure of the respective third-party service provider
The insurance industry calls for applying the highest security standards to the authentication procedure and the technical design of the interface when outlining the regulatory technical standards (RTS) to be established. A uniform interface standard, which allows for coherent, interoperable communication between third-party service providers and banks in Europe, is essential to assess the risk profile. Should the requirements be so general as to allow for the development of different standards on the market, an assessment of the liability risk/exposures and thus of the minimum monetary amount would be made much more difficult.
Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
It is currently impossible to assess whether sufficient and affordable insurance capacity will be available for AIS and PIS on the German market in the future. This is due to various reasons, including the following, in particular:• The liability risk of PIS and AIS is generally considered to be high.
• Hacker attacks, in particular, might result in major losses, the extent of which cannot be predicted yet (e.g. mass initiation of payments by account servicing payment service providers, data being stolen), which might question the insurability.
• It is problematic that it is about a new risk for which no claims experience has been available so far. This also results in the fact that the risk assessment to be carried out by each insurer prior to assuming any risk is extremely difficult.
• Moreover, it is questionable whether there will be a significant number of AISPs and PISPs which will actually take out professional indemnity insurance in the future. A specific number of risks, however, will be necessary to guarantee a sufficient spreading of risks in the portfolio of the insurer.
If, in principle, coverage provided by insurance shall actually be possible against the background of the aforementioned issues, the insurer must be allowed to stipulate adequate limits of the guaranteed cover in the insurance contract:
• The minimum monetary amount must not be too high.
• It is absolutely essential to allow for the stipulation of an annual ceiling.
• Policyholders and insurers must be allowed to agree on an adequate deductible.
• It must be possible to stipulate a limitation of the run-off cover and to allow for the application of risk-relevant exclusions.
• In indemnity insurance, no insurance cover can be provided if the policyholder intentionally and knowingly violates any obligations.
There is an urgent need to promote the possibility of providing coverage through “some other comparable guarantee against liability” within the meaning of Article 5(2) and (3) of PSD II. The provision of guarantees or the assumption of liability by financially strong undertakings might be applied for this purpose.