Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2
Go back
– An annual review of the level of insurance is appropriate.
– It is unclear how the ‘lowest tier’ rule in section 3.2.2 (particularly paragraph 39) is to be im-plemented. As we understand it, this rule has been applied in Example 1 (‘number of con-tracts’ criterion), but not in Example 2 for the ‘value of indemnity claims received’ criterion and ‘size of activity criterion for AIS’.
– It is unclear why a flat additional amount of €50,000 is to be applied for activities outside the EU. Should this point be relevant for a risk assessment of a business, then such an approach is not differentiated enough.
– Any deductible for the third-party provider specified in insurance terms and conditions and applying internally in its relationship with the insurance company should not apply externally in its relationship with the account-servicing payment service providers.
– The relationship between a third-party provider’s insurance company and the respective competent (supervisory) authority is not addressed. It should at least be ensured that any termination of cover by the insurance company triggers immediate, direct notification of the competent authority.
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
– It is unclear why potential losses arising solely in the previous 12 calendar months are taken into account. If this is a suitable criterion for measuring a third-party provider’s risk potential, then developments in previous years and in the market as a whole should additionally be considered.– An annual review of the level of insurance is appropriate.
– It is unclear how the ‘lowest tier’ rule in section 3.2.2 (particularly paragraph 39) is to be im-plemented. As we understand it, this rule has been applied in Example 1 (‘number of con-tracts’ criterion), but not in Example 2 for the ‘value of indemnity claims received’ criterion and ‘size of activity criterion for AIS’.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning
– It is unclear whether the components adopted cover the potential risk of involvement of third-party providers. While reference solely to business indicators is proposed, we would ac-tually have expected insurance cover to be geared more to criteria such as a risk assess-ment of the interface specifically used and general IT security. This is because third-party providers will, for example, lead to new payment processing routes, particularly as they re-ceive and forward account holders’ personal security credentials.– It is unclear why a flat additional amount of €50,000 is to be applied for activities outside the EU. Should this point be relevant for a risk assessment of a business, then such an approach is not differentiated enough.
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
See reply to question 2.Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
Separate treatment of activities in the form of account information services and activities in the form of payment initiation services is appropriate. See also our reply to question 2.Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning
See reply to question 2.Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
See reply to question 2.Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
– According to Article 5(2) of PSD2, third-party providers must ‘hold a professional indemnity insurance […] to ensure that they can cover their liabilities as specified in Articles 73, 89, 90 and 92.’ For the third-party provider and the account-servicing payment service provider, the liabilities set out in the articles cited are not limited, i.e. they also cover wilfulness and negli-gence. Yet insurance terms and conditions usually contain non-liability clauses, e.g. loss of in-surance cover where the third-party provider acts wilfully or negligently. Such insurance terms and conditions would not be appropriate, however, as otherwise the right of recourse by the account-servicing payment service provider laid down in Articles 73, 89, 90 and 92 of PSD2 would be made economically worthless. Insurance terms and conditions should there-fore not contain any non-liability clause. The same goes for the option of a guarantee.– Any deductible for the third-party provider specified in insurance terms and conditions and applying internally in its relationship with the insurance company should not apply externally in its relationship with the account-servicing payment service providers.
– The relationship between a third-party provider’s insurance company and the respective competent (supervisory) authority is not addressed. It should at least be ensured that any termination of cover by the insurance company triggers immediate, direct notification of the competent authority.