Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2
Go back
The condition to review the minimum monetary amount on an annual basis by the competent authority may not be sufficient if the undertaking is a new market entrant that may see considerable growth over a short timeframe.
The minimum monetary amount should always cover the potential liabilities of that provider, and therefore the frequency of the review should take into account the potential for growth.
Given the expected growth of PISPs and AISPs, and therefore the growth of liabilities, we suggest that the EBA specify a frequency and depth with which the competent authority reviews the service provider to ensure that the minimum amount is reflective of the service provider’s activities.
The EBA should also specify what will be reviewed.
It is not clear from the Guidelines whether there will be a registry in each EU member state or whether the register will be centralised.
With reference to paragraph 11, we suggest that the EBA applies different weighting to Corporate and Retail customers.
We have no issue with the construction of the formula per se but we do have views on the specific indicators as will be further outlined below.
We also believe there is a great need for the specification that a comparable guarantee can be based on own funds as it is unclear whether an efficient TPP-PII market will develop. The best approach would be to allow PSPs to, as an alternative to buying a PII, keep own funds which cover the potential liabilities; such own funds requirement could easily be calculated using the existing Method B of Article 9 PSD2.
It is our understanding that the proposed formula is not currently used within insurance practice. In particular it does not take into account certain factors that underwriters would normally consider or does not cover these factors to a sufficient extent. As such, when using the formula, we believe that it currently sets the insurance limit too low which may not provide the level of protection required for the customer (both consumer and corporate).
We recommend that the EBA consults directly with the insurance industry on how the formulae are best constructed to ensure they align with current industry practice.
Finally, it is not clear from the EBA’s consultation paper how the ‘Comparable Guarantee’ would work in practice. We assume that the monetary amount of the guarantee would be calculated using the same formulae as for insurance policies however guarantees can be constructed in a number of different ways and we would welcome clarity from the EBA on this.
We have several comments as per the following.
Value of indemnity claims:
We note that the full value of all indemnity claims have been used. This is unreasonable as it is exceptionally unlikely that all such claims are legitimate. More concretely, since the ASPSP “owns” the authentication procedure, the PISP is not able to initiate any transactions by itself with the exception of e.g. low-value transactions which are exempted from strong customer authentication. There is however nothing stopping ASPSPs or PSUs from directing claims towards the TPP, independently of whether the TPP is de facto at fault or not. It is unreasonable that a TPP’s cost of PII is substantially impacted by invalid claims from ASPSPs and/or PSUs. While claims could be useful indicator only valid claims should be taken into account. As such, rather than using the notional value of all indemnity claims over the last year, only the value of valid claims should be used.
Further, it is our understanding that the PII exists exactly to cover these types of claims. As such, either only this parameter should be used (e.g. the amount of valid claims grossed up with a factor of e.g. 2), or this parameter should be completely excluded from the calculation of the PII. The way the formula is currently set up, the value of the PII is “double-counted”. We would argue that a TPP holding on its balance sheet a capital “buffer” corresponding to the value of valid indemnity claims, grossed up with a factor of e.g. 2, would in itself make up a comparable guarantee to the PII.
Thirdly we do not understand why the value of claims built up over the course of a whole year should be used. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions for a whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes.
Geographical location of the undertaking:
As we understand it, the conceptual idea for this component is to ensure that liabilities in other countries (outside the EU) would not impact negatively on the TPP’s ability to fulfill its obligations under EU legislation. To us the question as to whether a TPP provides services outside the EU or not does not increase or decrease the risk profile of the undertaking’s activities in the EU and hence we cannot see why the actual size/value of the PII should be impacted. We believe this component should be deleted.
Number of contracts:
We understand the number of contracts to conceptually correspond to the number of merchants that offers the PISP’s PIS product as a payment option to their customers. Firstly we are unsure what if anything this indicator captures which is not already (better) captured by means of the next indicator (number of initiated payment transactions) as we do not see any direct relationship between the number of contracts/merchants a TPP has and its potential liabilities vis-a-vis PSUs and ASPSPs (one large merchant generating many transactions could imply higher “risk” than many small merchants generating very few transactions each). Secondly we would like to point out that this number will be, relatively speaking, very small for almost all PISPs. In the example on page 20 the PISP has one million contracts. We are not aware of any PSP having that amount of merchants and certainly not any European PISP.
Number of initiated payment transactions (PIS):
We believe that the number of initiated payment transactions is the most adequate way to measure the “risk profile” of the undertaking. However, the same parameter obviously also goes into the calculation of the size of activity criterion (number of payments multiplied with average value per payment) and as such care should be taken so as to not “double-count”.
Also, we do not understand why a number of initiated payment transactions from a whole year should be used. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions for a whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes and similarly believe that the average number of initiated payment transactions per month rather than per year should be used.
Number of accessed payment accounts (AIS):
We believe that the number of accessed payment accounts is the most adequate way to measure the “risk profile” of an AIS undertaking.
We understand that established credit institutions wishing to offer PIS and/or AIS products and services will not need to obtain additional capital or to hold specific PII insurance to cover their AIS and/or PIS activity. This would not foster a level playing field and should be applicable to all established payment institutions offering PIS or AIS products and services as well.
To our understanding, the proposal suggests that if an undertaking provides other payment services, those will be taken into account by means of own funds as outlined in Article 9 PSD2, and as such the contribution of this indicator to the PII will in these cases be 0. Further, if a PSP provides both PIS and AIS, the size of the PII will take into account separate calculations of these activities and hence the contribution of this specific criterion to the PII will in these cases be 0. However if a PSP provides only PIS and/or AIS, then this indicator should add EUR50,000 to the value of the PII.
This is a complex and counterintuitive approach and as we understand it is being used to reflect Article 5 (4) b PSD2. In our view, Article 5 (4) b PSD2 however should be interpreted differently and in a somewhat broader way; namely that it does not require a specific indicator but rather opens up the possibility for PSPs providing other services subject to own funds requirements to use such own funds as calculated per Article 9 PSD2 as a comparable guarantee to the PII. In fact, the whole idea of a PII derives from the fact that generic PIS/AIS does not see the PSP holding funds, and as such it was deemed unreasonable to impose an own funds requirement on these actors. If however a PSP in any event has an own funds requirement per Article 9, then a perfectly viable approach would be to allow it to, as an alternative (comparable guarantee) to taking out a PII include the PIS volumes in that calculation.
We believe that the insurance providers’ underwriters will be best placed to determine the levels of risks posed by the organisation’s activity. The criteria would benefit from being nuanced to reflect the risk assessment of the insurance provider.
In our view the size of activity indicator is exceptionally exaggerated.
For a PSP processing EUR4bn of PIS volume per year, the PII will have a coverage that is 47 times higher than the own funds requirement that would apply for the same volume of any other payment service. This size of activity indicator alone would drive in excess of EUR100,000,000 to the required value of the PII and the corresponding yearly premia would imply a very significant cost. The construction of the formula implies that larger well-capitalised payment institutions are penalised in terms of a discrepancy between the required value of the PII and the what the own funds requirement would be for any other payment services. We do not understand the rationale for this.
The proposed size of activity criteria should also take into account the service the undertaking intends to provide. If they are, for example, intending to move towards high value transactions or servicing corporate customers, this must be reflected in their minimum amount of indemnity insurance even if their historic data is reflective of a lower value of transactions.
In particular, we do not understand why this value should be calculated based on a full year’s volumes. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions fora whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes and do not see why the size of activity criterion should not take the same approach.
We encourage the EBA to take greater account of the value of payments expected before defining the tiers. Currently the largest proposed tier is EUR 10 million suggesting that the EBA is not expecting PIS to make large value transactions on a regular basis. However if a PIS instructs a single payment for a very large amount for example, a corporate payment worth EUR 50 million, this formula would not be sufficient unless there were restrictions on the value of single payments that a PIS can make, which we do not think is in the spirit of the Directive.
Furthermore, paragraph 71 does not appear to take into account that PIS/AIS providers may have access to multiple client accounts, thus augmenting the size and relative risk of their activities. For example, an undertaking may have 50 clients each with 10 accounts; does this mean the calculation for N should be 50 or 500?
Rather, as outlined above, some indicators should be removed and others revised. We believe the approach taken to calculate the PII coverage should to the maximum possible extent mirror the approach taken for the calculation of own funds per Article 9 PSD2.
We believe it should be made clear that the holding of own funds should be considered an adequate comparable guarantee to holding a PII, in particular since it is unclear whether a TPP-PII market will form and what the cost of such insurance will be.
Consideration should also be given to the possibility that the PISP/AISP’s insurer may decline to pay out or does not pay out straight away, which undermines the functional requirement that the PISP/AISP refunds the consumer immediately whilst investigations are ongoing.
While PI insurance should continue to be a potential solution, it should not be the only solution as there are means of achieving comparable assurance that the TPP is able to cover its liabilities as they fall due.
Large, well-capitalised or collateralised authorised payments institutions should hence be permitted to operate as PISPs and/or AISPs without additional insurance to the same extent and in the same way as seems to be envisaged for banks / credit institutions.
More specifically, payment institutions that already comply with capital requirements on own funds should be able to provide PIS and AIS servcies without an additional insurance as long as any PIS volumes are reflected when calculating the own funds in accordance with Article 9 PSD2.
In order for regulators, ASPSPs, and consumers to be confident of this PISPs and AISPs should be required to provide regulators with clear data regarding their own funds related to their AISP and PISP activities as part of their regular reporting.
It might be worth working with the insurance industry to determine the degree to which such reporting might in the future support the development of such an insurance market. Certainly the insurance industry participants were very keen to engage with regulators to develop the market to ensure information necessary to determine risks is available, and also to ensure the insurance provided appropriately addresses the question set by the regulators. Without such positive engagement from the regulators many participants were unwilling to start on a journey that looks no more likely to be successful than the attempt to generate the safeguarding insurance referenced in PSD1.
Given the size of the cost of holding a PII, credit institutions which would not have to obtain a PII to provide PIS would be put at a significant competitive cost advantage compared non-bank PSPs providing PIS, undermining the possibility for a level playing field.
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
No, we do not agree.The condition to review the minimum monetary amount on an annual basis by the competent authority may not be sufficient if the undertaking is a new market entrant that may see considerable growth over a short timeframe.
The minimum monetary amount should always cover the potential liabilities of that provider, and therefore the frequency of the review should take into account the potential for growth.
Given the expected growth of PISPs and AISPs, and therefore the growth of liabilities, we suggest that the EBA specify a frequency and depth with which the competent authority reviews the service provider to ensure that the minimum amount is reflective of the service provider’s activities.
The EBA should also specify what will be reviewed.
It is not clear from the Guidelines whether there will be a registry in each EU member state or whether the register will be centralised.
With reference to paragraph 11, we suggest that the EBA applies different weighting to Corporate and Retail customers.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning
No, we do not agree.We have no issue with the construction of the formula per se but we do have views on the specific indicators as will be further outlined below.
We also believe there is a great need for the specification that a comparable guarantee can be based on own funds as it is unclear whether an efficient TPP-PII market will develop. The best approach would be to allow PSPs to, as an alternative to buying a PII, keep own funds which cover the potential liabilities; such own funds requirement could easily be calculated using the existing Method B of Article 9 PSD2.
It is our understanding that the proposed formula is not currently used within insurance practice. In particular it does not take into account certain factors that underwriters would normally consider or does not cover these factors to a sufficient extent. As such, when using the formula, we believe that it currently sets the insurance limit too low which may not provide the level of protection required for the customer (both consumer and corporate).
We recommend that the EBA consults directly with the insurance industry on how the formulae are best constructed to ensure they align with current industry practice.
Finally, it is not clear from the EBA’s consultation paper how the ‘Comparable Guarantee’ would work in practice. We assume that the monetary amount of the guarantee would be calculated using the same formulae as for insurance policies however guarantees can be constructed in a number of different ways and we would welcome clarity from the EBA on this.
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
No, we do not agree.We have several comments as per the following.
Value of indemnity claims:
We note that the full value of all indemnity claims have been used. This is unreasonable as it is exceptionally unlikely that all such claims are legitimate. More concretely, since the ASPSP “owns” the authentication procedure, the PISP is not able to initiate any transactions by itself with the exception of e.g. low-value transactions which are exempted from strong customer authentication. There is however nothing stopping ASPSPs or PSUs from directing claims towards the TPP, independently of whether the TPP is de facto at fault or not. It is unreasonable that a TPP’s cost of PII is substantially impacted by invalid claims from ASPSPs and/or PSUs. While claims could be useful indicator only valid claims should be taken into account. As such, rather than using the notional value of all indemnity claims over the last year, only the value of valid claims should be used.
Further, it is our understanding that the PII exists exactly to cover these types of claims. As such, either only this parameter should be used (e.g. the amount of valid claims grossed up with a factor of e.g. 2), or this parameter should be completely excluded from the calculation of the PII. The way the formula is currently set up, the value of the PII is “double-counted”. We would argue that a TPP holding on its balance sheet a capital “buffer” corresponding to the value of valid indemnity claims, grossed up with a factor of e.g. 2, would in itself make up a comparable guarantee to the PII.
Thirdly we do not understand why the value of claims built up over the course of a whole year should be used. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions for a whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes.
Geographical location of the undertaking:
As we understand it, the conceptual idea for this component is to ensure that liabilities in other countries (outside the EU) would not impact negatively on the TPP’s ability to fulfill its obligations under EU legislation. To us the question as to whether a TPP provides services outside the EU or not does not increase or decrease the risk profile of the undertaking’s activities in the EU and hence we cannot see why the actual size/value of the PII should be impacted. We believe this component should be deleted.
Number of contracts:
We understand the number of contracts to conceptually correspond to the number of merchants that offers the PISP’s PIS product as a payment option to their customers. Firstly we are unsure what if anything this indicator captures which is not already (better) captured by means of the next indicator (number of initiated payment transactions) as we do not see any direct relationship between the number of contracts/merchants a TPP has and its potential liabilities vis-a-vis PSUs and ASPSPs (one large merchant generating many transactions could imply higher “risk” than many small merchants generating very few transactions each). Secondly we would like to point out that this number will be, relatively speaking, very small for almost all PISPs. In the example on page 20 the PISP has one million contracts. We are not aware of any PSP having that amount of merchants and certainly not any European PISP.
Number of initiated payment transactions (PIS):
We believe that the number of initiated payment transactions is the most adequate way to measure the “risk profile” of the undertaking. However, the same parameter obviously also goes into the calculation of the size of activity criterion (number of payments multiplied with average value per payment) and as such care should be taken so as to not “double-count”.
Also, we do not understand why a number of initiated payment transactions from a whole year should be used. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions for a whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes and similarly believe that the average number of initiated payment transactions per month rather than per year should be used.
Number of accessed payment accounts (AIS):
We believe that the number of accessed payment accounts is the most adequate way to measure the “risk profile” of an AIS undertaking.
Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
No, we do not agree.We understand that established credit institutions wishing to offer PIS and/or AIS products and services will not need to obtain additional capital or to hold specific PII insurance to cover their AIS and/or PIS activity. This would not foster a level playing field and should be applicable to all established payment institutions offering PIS or AIS products and services as well.
To our understanding, the proposal suggests that if an undertaking provides other payment services, those will be taken into account by means of own funds as outlined in Article 9 PSD2, and as such the contribution of this indicator to the PII will in these cases be 0. Further, if a PSP provides both PIS and AIS, the size of the PII will take into account separate calculations of these activities and hence the contribution of this specific criterion to the PII will in these cases be 0. However if a PSP provides only PIS and/or AIS, then this indicator should add EUR50,000 to the value of the PII.
This is a complex and counterintuitive approach and as we understand it is being used to reflect Article 5 (4) b PSD2. In our view, Article 5 (4) b PSD2 however should be interpreted differently and in a somewhat broader way; namely that it does not require a specific indicator but rather opens up the possibility for PSPs providing other services subject to own funds requirements to use such own funds as calculated per Article 9 PSD2 as a comparable guarantee to the PII. In fact, the whole idea of a PII derives from the fact that generic PIS/AIS does not see the PSP holding funds, and as such it was deemed unreasonable to impose an own funds requirement on these actors. If however a PSP in any event has an own funds requirement per Article 9, then a perfectly viable approach would be to allow it to, as an alternative (comparable guarantee) to taking out a PII include the PIS volumes in that calculation.
We believe that the insurance providers’ underwriters will be best placed to determine the levels of risks posed by the organisation’s activity. The criteria would benefit from being nuanced to reflect the risk assessment of the insurance provider.
Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning
No, we do not agree.In our view the size of activity indicator is exceptionally exaggerated.
For a PSP processing EUR4bn of PIS volume per year, the PII will have a coverage that is 47 times higher than the own funds requirement that would apply for the same volume of any other payment service. This size of activity indicator alone would drive in excess of EUR100,000,000 to the required value of the PII and the corresponding yearly premia would imply a very significant cost. The construction of the formula implies that larger well-capitalised payment institutions are penalised in terms of a discrepancy between the required value of the PII and the what the own funds requirement would be for any other payment services. We do not understand the rationale for this.
The proposed size of activity criteria should also take into account the service the undertaking intends to provide. If they are, for example, intending to move towards high value transactions or servicing corporate customers, this must be reflected in their minimum amount of indemnity insurance even if their historic data is reflective of a lower value of transactions.
In particular, we do not understand why this value should be calculated based on a full year’s volumes. Surely any issue/liability would be identified much more quickly; it is unrealistic to believe that a TPP would be able to keep initiating unauthorised transactions fora whole year. We note that Method B of the own funds calculation per Article 9 PSD2 is based on monthly volumes and do not see why the size of activity criterion should not take the same approach.
We encourage the EBA to take greater account of the value of payments expected before defining the tiers. Currently the largest proposed tier is EUR 10 million suggesting that the EBA is not expecting PIS to make large value transactions on a regular basis. However if a PIS instructs a single payment for a very large amount for example, a corporate payment worth EUR 50 million, this formula would not be sufficient unless there were restrictions on the value of single payments that a PIS can make, which we do not think is in the spirit of the Directive.
Furthermore, paragraph 71 does not appear to take into account that PIS/AIS providers may have access to multiple client accounts, thus augmenting the size and relative risk of their activities. For example, an undertaking may have 50 clients each with 10 accounts; does this mean the calculation for N should be 50 or 500?
Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
No, we do not think the EBA should consider any other criteria and/or indicators.Rather, as outlined above, some indicators should be removed and others revised. We believe the approach taken to calculate the PII coverage should to the maximum possible extent mirror the approach taken for the calculation of own funds per Article 9 PSD2.
Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
Yes, we do have other comments and suggestions.We believe it should be made clear that the holding of own funds should be considered an adequate comparable guarantee to holding a PII, in particular since it is unclear whether a TPP-PII market will form and what the cost of such insurance will be.
Consideration should also be given to the possibility that the PISP/AISP’s insurer may decline to pay out or does not pay out straight away, which undermines the functional requirement that the PISP/AISP refunds the consumer immediately whilst investigations are ongoing.
While PI insurance should continue to be a potential solution, it should not be the only solution as there are means of achieving comparable assurance that the TPP is able to cover its liabilities as they fall due.
Large, well-capitalised or collateralised authorised payments institutions should hence be permitted to operate as PISPs and/or AISPs without additional insurance to the same extent and in the same way as seems to be envisaged for banks / credit institutions.
More specifically, payment institutions that already comply with capital requirements on own funds should be able to provide PIS and AIS servcies without an additional insurance as long as any PIS volumes are reflected when calculating the own funds in accordance with Article 9 PSD2.
In order for regulators, ASPSPs, and consumers to be confident of this PISPs and AISPs should be required to provide regulators with clear data regarding their own funds related to their AISP and PISP activities as part of their regular reporting.
It might be worth working with the insurance industry to determine the degree to which such reporting might in the future support the development of such an insurance market. Certainly the insurance industry participants were very keen to engage with regulators to develop the market to ensure information necessary to determine risks is available, and also to ensure the insurance provided appropriately addresses the question set by the regulators. Without such positive engagement from the regulators many participants were unwilling to start on a journey that looks no more likely to be successful than the attempt to generate the safeguarding insurance referenced in PSD1.
Given the size of the cost of holding a PII, credit institutions which would not have to obtain a PII to provide PIS would be put at a significant competitive cost advantage compared non-bank PSPs providing PIS, undermining the possibility for a level playing field.