Response to consultation on Guidelines on authorisation and registration under PSD2
Go back
The IK is a competition neutral platform without legal capacity for entities, which act in the credit and debit card business in Germany (Issuer, Acquirer, Network Service Providers, Processing Entities, Licensors), registered in the EU-Transparency Register under aforementioned Ident-no. The IK has participated in the EBA hearing in London on 12 December 2016. The IK also contributed to several other EBA discussion papers and consultation papers.
The following members of the IK have contributed to this opinion as of today:
Bayern Card-Services GmbH
B+S Card Service GmbH
Commerzbank AG
ConCardis GmbH
Elavon Financial Services DAC
EVO Payments International GmbH
First Data Deutschland GmbH
InterCard AG
LogPay Financial Services GmbH
Lufthansa AirPlus GmbH
MasterCard Europe S.A.
S-Payment GmbH
TeleCash GmbH Co. KG
transact Elektronische Zahlungssysteme GmbH
Verband der Sparda-Banken e.V.
VISA Europe
Wirecard Bank AG
equensWorldline GmbH
We hereinafter comment on EBA’s Consultation Paper (EBA/CP/2016/18) on the on the Draft Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers (hereinafter referred to as “EBA’s Draft” or “the Consultation Paper”). All references made to enumerations without additional reference to a specific directive or regulation, also refer to EBA’s Draft / the Consultation Paper.
We furthermore refer to statements which were given by Ms. Diez Pérez or Mr. Haubrich on behalf of EBA at the occasion of the public hearing in London on 12 December, 2016 (“EBA hearing statements”).
1. Comments on EBA’s question no. 1
Greater transparency and clarity vs. great detail
a) In the Consultation Paper, EBA states that one of the objectives of the Guidelines is greater transparency and clarity in respect of the information that an applicant has to submit as part of an application for authorization.
b) The IK generally approves of this objective. However, striving for maximum transparency and clarity will lead to requirements that are set out in great detail and this will very likely cause problems in another regard.
Small(er) payment institutions and those with a relatively “simple” and low-risk business model might have to provide a huge amount of information and documents causing efforts that cannot be regarded as “proportionate”, whereas in other cases, the supervisory authority might be prevented from requiring further details from an applicant with a highly complex business model as certain details may not be explicitly mentioned in the Guidelines.
This holds particularly true if one bears in mind that according to the EBA hearing statements, the Guidelines must cover – due to the maximum harmonization approach of the PSD2 – all kinds of payment institutions, including very big institutions and those with very complex and risky business models.
c) What is more, Part 4.4 of EBA’s draft (Guidelines regarding the assessment of completeness of the application) sets out that where an application contains information, or relies on information held by the competent authorities, which is no longer true, accurate or complete, an update to the application should be provided to the competent authorities without delay. Each update should identify the respective information concerned, its location within the original application, the reason for the information no longer being true, accurate or complete, the updated information and confirmation that the rest of the information in the application remains true, accurate and complete (see no 1.5 of Part 4.4 of EBA’s draft).
This is another reason why too detailed requirements will very likely cause disproportionate efforts for the market participants. This holds particularly true because the above procedure seems to apply to any kind of information, not only to “relevant changes” and/or to particularly important information.
d) Therefore, the IK is of the opinion that with regard to certain issues as further outlined below (see the use of general terms to describe requirements rather than too detailed lists will generally better fit an approach that takes due regard to the particular business model of the relevant applicant.
As already stated above (see 1. a) / Re Question 1), the IK is of the opinion that the use of general terms to describe requirements rather than too detailed lists will generally better fit an approach that takes due regard to the particular business model of the relevant applicant.
EBA’s draft, in contrast, provides a huge set of very detailed requirements. For small(er) payment institutions and payment institutions with a comparatively simple, low-risk business model this may cause to disproportionate efforts and an unnecessarily time-consuming procedure both with regard to the preparation of the application as well as the work load for competent supervisory authorities’ officers.
b) Clarification with regard to the required depth of information to be provided
According to the EBA hearing statements the depth of information to be provided under Art. 5 (1) of PSD2, as further set out in the Guidelines, may be adjusted to the complexity and the risk associated with the applicant’s business model.
The IK would highly appreciate if EBA explicitly included a respective clarification in the Guidelines.
aa) EBA’s draft seems to contain some information that are not required for authorization of credit institutions according to the EBA’s Consultation Paper on the Draft Regulatory Technical Standards under Article 8(2) of Directive 2013/36/EU on the information to be provided for the authorization of credit institutions, the requirements applicable to stakeholders and members with qualifying holdings and obstacles which may prevent the effective exercise of supervisory powers and Draft Implementing Technical Standards under Article 8(3) of Directive 2013/36/EU on standard forms, templates and procedures for the provision of the information required for the authorization of credit institutions of 08 November 2016 (EBA/CP/2016/19).
The IK is aware of the fact that the wording of the mandate which is conferred on the EBA in Article 5(5) of PSD2 in conjunction with Article 5(1) of PSD2 differs from that in Article 8(2), (3) of Directive 2013/36/EU. Particularly, the wording of Article 5(1) of PSD2 itself contains detailed requirements which, of course, the EBA cannot waive.
Yet, the IK is of the opinion that where the EBA does not stipulate respective requirements for credit institutions – which represent a significant part of all payment service providers active in the EU market – , EBA should also waive of such requirements for payment institutions, unless the PSD2 explicitly stipulates that payment institutions must provide respective information and/or documents.
bb) Against this background, the IK particularly has concerns with regard to the following stipulations:
(1) Re 4.1 - Guideline 2: Identification Details
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“ (…)
(Delete: h) indication on whether the applicant has ever been, or is currently being regulated, by a competent authority in the financial services sector or by any other industry-specific regulatory body;)
(Delete: i) any trade association(s) that the applicant plans to join, where applicable;)
(…)”
(2) Re 4.1 - Guideline 3: Program of operations
In our view, the following requirements deviate from the requirements for credit institutions without being mandatory according to the PSD2 and should therefore be deleted:
“ (…)
(Delete: e) number of different premises from which the applicant intends to provide the payment services, and/or carry out activities related to the provision of payment services if applicable;)
(…)”
(3) Re 4.1 - Guideline 8: Governance arrangements and internal control mechanisms
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“(…)
(Delete: c) a confirmation of the regulatory reporting requirements that apply to the applicant;)
(…)”
(4) Re 4.1 – Guideline 9: Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“(…)
(Delete: c) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of mayor incidents to NCAs under Article 96 of PSD2 and in line with the EBA Guidelines on incident reporting (EBA/GL/2016/tbc);) and
(…)”
(5) RE 4.1 – Guideline 13: Security policy document
In its para. 5 lit. (e), article 10 (Information on the internal control framework and infrastructure) of the draft Regulatory Technical Standards require applicants for a licence as a credit institution to provide “a description of the applicant credit institution’s IT infrastructure, including systems in use and underlying architecture, hosting arrangements, logical and physical protection measures”.
Information required from payment institutions (applicants) with regard to their IT infrastructure and protection measures is far more detailed than those required for credit institutions, although – in our opinion – this is not mandatory according to the PSD2. The respective wording in the Guidelines should therefore be amended.
The respective wording in 4.1 – Guideline 13: Security policy document should therefore be amended as follows:
“b) a description of the IT systems, which should include:
i. the architecture of the systems (delete: and their network elements;)
(Delete: ii. the business IT systems supporting the business activities provided, such as the applicant’s website, wallets, the payment engine, the risk and fraud management engine and customer accounting;)
(Delete: iii. the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers; )
and
iv. information on whether those systems are already used by the applicant (delete: or its group), and the estimated date of implementation, if applicable.
(Delete: c an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection;)
(Delete: d for each of the connections listed under point c), the logical security measures and mechanisms in place, specifying the control the applicant will have over these accesses as well as the nature and frequency of each control, such as technical versus organizational, preventive vs detective; real-time monitoring vs regular reviews, such as the use of an Active Directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus and logs;)
e) the logical security measures and mechanisms that govern the internal access to IT systems, (delete:which should include:)
(Delete: i. the technical and organisational nature and frequency of each measure, such as whether it is preventive or detective or whether or not it is carried out in real time; and)
(Delete: ii. how the issue of client environment segregation is dealt with in cases where the applicant’s IT resources are shared.)
f) the physical security measures
(delete: and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;)
(Delete: g the security of the payment processes, which should include:)
(Delete: i. the customer authentication procedure used for both, consultative and transactional accesses, and for all underlying payment instruments;
ii. an explanations on how the safe delivery to the legitimate payment services user and the integrity of authentication factors such as hardware tokens and mobile application is ensured, at the time of both, initial enrolment time and renewal; and
iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions.)
(…)”
b) Protection of highly sensitive information and documents
The IK is of the opinion that where the PSD2 does not inevitably require applicants and payment institutions to provide sensitive information, the Guidelines should not impose a respective duty on them. Particularly, the provision of detailed sensitive information is not necessarily connected to a significant gain in relevant information that is needed to properly assess the applicants’ internal organisation and their compliance with applicable laws and best practice standards for regulatory purposes.
aa) Re 4.1 – Guideline 11: Business continuity arrangements
(1) Art. 5 (1) lit. h) of PSD2 says that applicants shall submit “a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans”.
This wording does not necessarily require applicants to reveal the confidential parts of those business continuity arrangements that may contain extremely sensitive information.
(2) IK has serious reservations about revealing sensitive and confidential information in business impact analysis, contingency and disaster recovery plans to the supervisory authority. This, however, might become necessary according to the stipulations set out in the Guidelines, even if the wording in 4.1 – Guideline 11 does not explicitly require “copies” but a “description” of business continuity arrangements.
The business impact analysis identifies the critical business processes and resources and therefore necessarily reveals where and how an institution could be hit most badly. Equally, at least parts of the contingency plans for business continuity and the disaster recovery plans will of necessity be confidential.
For this reason these documents and plans are regularly not even given to all staff of a payment institution, but only to the management body and e.g. those people who have disaster recovery responsibilities in order to prevent unauthorized persons from getting in possession of such sensitive information. For example details of the security system, or the home addresses and telephone numbers of other disaster recovery teams will not be given to every staff member. To avoid unauthorized distribution particularly of contingency plans usually a record is kept of who is given a copy. In most cases, those records contain a table of recipients detailing name, department or section, responsibility and number of copies. If a staff member ceases employment then his / her copy must be returned to the disaster recovery coordinator.
(3) IK sees a risk that general precautions as described above cannot be maintained in full as the payment institution has no possibility to impose on the supervisory authority (i) respective duties to keep records of any officers that came into possession of confidential information and (ii) apply other additional safeguards.
What is more, the German Freedom of Information Act has created a legal right of access to official information held by Federal authorities. The Act generally applies to the Bundesanstalt für Finanzdienstleistungsaufsicht (“BaFin”) as it performs administrative functions under public law.
Although the German Freedom of Information Act contains specific provisions regarding the protection business or trade secrets and personal data, there have been, in these past years, a number of disputes and court proceedings where BaFin’s rights to deny access to such information and BaFin’s duties with regard to professional secrecy (see also Art. 24 PSD2) were contested.
The IK is therefore of the opinion that where the PSD2 does not inevitably require applicants and payment institutions to provide sensitive information, the Guidelines should not impose a respective duty on them. Particularly, the provision of detailed sensitive information is not necessarily connected to a significant gain in relevant information that is required in order to properly assess the applicants’ internal organisation and their compliance with regulatory duties.
(4) The respective wording in 4.1 – Guideline 11: Business continuity arrangements should therefore be amended as follows:
“11.1. The applicant should provide a description of the business continuity arrangements consisting of the following information:
(…)
a) (new: a summary of the business impact analysis;)
(delete: a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets;)
(Delete: b the identification of the back-up site, access to IT infrastructure, and its key software and data to recover from a disaster or disruption; )
(…)
(new: For the avoidance of doubt, applicants do not have to submit copies of their business impact analysis and their contingency and disaster recovery plans and do not have to reveal extremely sensitive and confidential data such as (i) details of the offsite storage of records and information and (ii) details of recovery strategies including details regarding people, facilities, equipment, materials and information technology involved in those strategies and workarounds”.)
bb) Re 4.1 – Guideline 13: Security policy document
For the same reasons as set out above (see b)/Protection of highly sensitive information and documents), 4.1 – Guideline 13: Security policy document should be amended as follows. The respective details that the IK suggests to delete are neither mandatory under the PSD2 nor required from applicants for a licence as a credit institution (see already above, 3. a).
“b) a description of the IT systems, which should include:
i. the architecture of the systems (delete: and their network elements;)
(Delete: ii. the business IT systems supporting the business activities provided, such as the applicant’s website, wallets, the payment engine, the risk and fraud management engine and customer accounting;)
(delete iii. the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;)
and
iv. information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable.
(Delete: c an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection;)
(Delete: d for each of the connections listed under point c), the logical security measures and mechanisms in place, specifying the control the applicant will have over these accesses as well as the nature and frequency of each control, such as technical versus organizational, preventive vs detective; real-time monitoring vs regular reviews, such as the use of an Active Directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus and logs;)
e) the logical security measures and mechanisms that govern the internal access to IT systems, (delete: which should include:)
(Delete: i. the technical and organisational nature and frequency of each measure, such as whether it is preventive or detective or whether or not it is carried out in real time; and)
(delete ii. how the issue of client environment segregation is dealt with in cases where the applicant’s IT resources are shared.)
f) the physical security measures (delete: and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;)
(Delete: g the security of the payment processes, which should include:)
(Delete: i. the customer authentication procedure used for both, consultative and transactional accesses, and for all underlying payment instruments;)
(delete ii. an explanations on how the safe delivery to the legitimate payment services user and the integrity of authentication factors such as hardware tokens and mobile application is ensured, at the time of both, initial enrolment time and renewal; and)
(delete iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions.)
(…)”
c) Re 4.1 – Guideline 4: Business plan
aa) Art. 5 (1) (a) PSD2 only requires “a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly”.
4.1 – Guideline 4, however, stipulates that an analysis of the payments market and an analysis of the company’s competitive position are required and that the marketing plan shall also summarize the main conclusions of “any marketing research carried out”. The IK is of the opinion that this does not only substantiate the requirements already set out in the PSD2, but goes beyond the EBA’s mandate.
What is more, the analysis of the company’s competitive position will necessarily be a sensitive, if not highly sensitive, document for most applicants.
bb) Therefore 4.1 – Guideline 4: Business plan should be amended as follows.
“4.1 The business plan to be provided by the applicant should contain:
a) a marketing plan including
(delete:consisting of: )
(Delete: i. an analysis of the payments market; )
(Delete: ii. an analysis of the company’s competitive position; )
iii. a description of clients, marketing materials and distribution channels;
(Delete: iv. the main conclusions of any marketing research carried out.)
(…)”
d) Personal data
In order to maintain a high level of protection of personal data that is in line with applicable data protection law, the IK suggests waiving any requirements to provide personal data of applicant’s staff where this is not explicitly required under PSD2.
c) Information required from payment institutions already in possession of a licence
aa) The transitional provision in Art. 109 of PSD2 states that Member States shall allow payment institutions that have taken up activities in accordance with the national law transposing Directive 2007/64/EC by 13 January 2018, to continue those activities under a grandfathering provision. Yet, such payment institutions must submit all relevant information to the competent authorities in order to allow the latter to assess, by 13 July 2018, whether those payment institutions comply with the requirements laid down in Title II PSD2.
Given that, the IK believes that most likely, the Guidelines will not only be relevant for new applicants, but also for payment institutions already in possession of a respective licence.
bb) In contrast to new applicants, however, the competent supervisory authorities already are in possession of comprehensive information and documentation regarding payment institutions that already have a licence and therefore are already subject to supervision. What is more already licenced payment institutions must have internal control procedures, particularly an internal audit, in place and are also subject to regular or, as the case may be, ad hoc examinations and assessments by external auditors.
Against this background, the IK would highly appreciate if the EBA would include a respective statement in the Guidelines as follows:
“Where information and documents as set out in these Guidelines are required from payment institutions that are already in possession of a respective licence according to the national law transposing Directive 2007/64/EC in order to assess their compliance with the requirements laid down in Title II PSD2, only those documents and information must be provided that has not yet been provided to the supervisory authority before.
Where a payment institution applies for an extended licence only those documents and information must be provided that have not yet been provided to the supervisory authority before. Where, however, the competent supervisory authority deems it to be necessary that the applicant for an extended licence provides updated information with regard to those documents and information that has been provided to the supervisory authority before, the applicant may fulfill such requirement by issuing a statement that the information previously delivered is still true and correct. Generally, information and documentation that has been submitted not more than 12 months ago should be regarded as still being up to date, unless there are indications to the contrary (e.g. because the applicant does not confirm, in the applicant’s aforementioned statement, that the respective information is still true and correct).”
Question 1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
We refer to you on behalf of the German IK Interessengemeinschaft Kreditkarten (IK Interest Group Credit Cards, hereinafter referred to as “IK”).The IK is a competition neutral platform without legal capacity for entities, which act in the credit and debit card business in Germany (Issuer, Acquirer, Network Service Providers, Processing Entities, Licensors), registered in the EU-Transparency Register under aforementioned Ident-no. The IK has participated in the EBA hearing in London on 12 December 2016. The IK also contributed to several other EBA discussion papers and consultation papers.
The following members of the IK have contributed to this opinion as of today:
Bayern Card-Services GmbH
B+S Card Service GmbH
Commerzbank AG
ConCardis GmbH
Elavon Financial Services DAC
EVO Payments International GmbH
First Data Deutschland GmbH
InterCard AG
LogPay Financial Services GmbH
Lufthansa AirPlus GmbH
MasterCard Europe S.A.
S-Payment GmbH
TeleCash GmbH Co. KG
transact Elektronische Zahlungssysteme GmbH
Verband der Sparda-Banken e.V.
VISA Europe
Wirecard Bank AG
equensWorldline GmbH
We hereinafter comment on EBA’s Consultation Paper (EBA/CP/2016/18) on the on the Draft Guidelines on the information to be provided for the authorisation as payment institutions and e-money institutions and for the registration as account information service providers (hereinafter referred to as “EBA’s Draft” or “the Consultation Paper”). All references made to enumerations without additional reference to a specific directive or regulation, also refer to EBA’s Draft / the Consultation Paper.
We furthermore refer to statements which were given by Ms. Diez Pérez or Mr. Haubrich on behalf of EBA at the occasion of the public hearing in London on 12 December, 2016 (“EBA hearing statements”).
1. Comments on EBA’s question no. 1
Greater transparency and clarity vs. great detail
a) In the Consultation Paper, EBA states that one of the objectives of the Guidelines is greater transparency and clarity in respect of the information that an applicant has to submit as part of an application for authorization.
b) The IK generally approves of this objective. However, striving for maximum transparency and clarity will lead to requirements that are set out in great detail and this will very likely cause problems in another regard.
Small(er) payment institutions and those with a relatively “simple” and low-risk business model might have to provide a huge amount of information and documents causing efforts that cannot be regarded as “proportionate”, whereas in other cases, the supervisory authority might be prevented from requiring further details from an applicant with a highly complex business model as certain details may not be explicitly mentioned in the Guidelines.
This holds particularly true if one bears in mind that according to the EBA hearing statements, the Guidelines must cover – due to the maximum harmonization approach of the PSD2 – all kinds of payment institutions, including very big institutions and those with very complex and risky business models.
c) What is more, Part 4.4 of EBA’s draft (Guidelines regarding the assessment of completeness of the application) sets out that where an application contains information, or relies on information held by the competent authorities, which is no longer true, accurate or complete, an update to the application should be provided to the competent authorities without delay. Each update should identify the respective information concerned, its location within the original application, the reason for the information no longer being true, accurate or complete, the updated information and confirmation that the rest of the information in the application remains true, accurate and complete (see no 1.5 of Part 4.4 of EBA’s draft).
This is another reason why too detailed requirements will very likely cause disproportionate efforts for the market participants. This holds particularly true because the above procedure seems to apply to any kind of information, not only to “relevant changes” and/or to particularly important information.
d) Therefore, the IK is of the opinion that with regard to certain issues as further outlined below (see the use of general terms to describe requirements rather than too detailed lists will generally better fit an approach that takes due regard to the particular business model of the relevant applicant.
Question 2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
NAQuestion 3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
a) Avoidance of too detailed lists of requirementsAs already stated above (see 1. a) / Re Question 1), the IK is of the opinion that the use of general terms to describe requirements rather than too detailed lists will generally better fit an approach that takes due regard to the particular business model of the relevant applicant.
EBA’s draft, in contrast, provides a huge set of very detailed requirements. For small(er) payment institutions and payment institutions with a comparatively simple, low-risk business model this may cause to disproportionate efforts and an unnecessarily time-consuming procedure both with regard to the preparation of the application as well as the work load for competent supervisory authorities’ officers.
b) Clarification with regard to the required depth of information to be provided
According to the EBA hearing statements the depth of information to be provided under Art. 5 (1) of PSD2, as further set out in the Guidelines, may be adjusted to the complexity and the risk associated with the applicant’s business model.
The IK would highly appreciate if EBA explicitly included a respective clarification in the Guidelines.
Question 4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
a) Information not required from other payment service providers (credit institutions)aa) EBA’s draft seems to contain some information that are not required for authorization of credit institutions according to the EBA’s Consultation Paper on the Draft Regulatory Technical Standards under Article 8(2) of Directive 2013/36/EU on the information to be provided for the authorization of credit institutions, the requirements applicable to stakeholders and members with qualifying holdings and obstacles which may prevent the effective exercise of supervisory powers and Draft Implementing Technical Standards under Article 8(3) of Directive 2013/36/EU on standard forms, templates and procedures for the provision of the information required for the authorization of credit institutions of 08 November 2016 (EBA/CP/2016/19).
The IK is aware of the fact that the wording of the mandate which is conferred on the EBA in Article 5(5) of PSD2 in conjunction with Article 5(1) of PSD2 differs from that in Article 8(2), (3) of Directive 2013/36/EU. Particularly, the wording of Article 5(1) of PSD2 itself contains detailed requirements which, of course, the EBA cannot waive.
Yet, the IK is of the opinion that where the EBA does not stipulate respective requirements for credit institutions – which represent a significant part of all payment service providers active in the EU market – , EBA should also waive of such requirements for payment institutions, unless the PSD2 explicitly stipulates that payment institutions must provide respective information and/or documents.
bb) Against this background, the IK particularly has concerns with regard to the following stipulations:
(1) Re 4.1 - Guideline 2: Identification Details
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“ (…)
(Delete: h) indication on whether the applicant has ever been, or is currently being regulated, by a competent authority in the financial services sector or by any other industry-specific regulatory body;)
(Delete: i) any trade association(s) that the applicant plans to join, where applicable;)
(…)”
(2) Re 4.1 - Guideline 3: Program of operations
In our view, the following requirements deviate from the requirements for credit institutions without being mandatory according to the PSD2 and should therefore be deleted:
“ (…)
(Delete: e) number of different premises from which the applicant intends to provide the payment services, and/or carry out activities related to the provision of payment services if applicable;)
(…)”
(3) Re 4.1 - Guideline 8: Governance arrangements and internal control mechanisms
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“(…)
(Delete: c) a confirmation of the regulatory reporting requirements that apply to the applicant;)
(…)”
(4) Re 4.1 – Guideline 9: Procedure to monitor, handle and follow up on security incidents and security-related customer complaints
In our view, the following requirements deviate from the requirements for credit institutions, although – in our opinion – this is not mandatory according to the PSD2, and should therefore be deleted:
“(…)
(Delete: c) the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of mayor incidents to NCAs under Article 96 of PSD2 and in line with the EBA Guidelines on incident reporting (EBA/GL/2016/tbc);) and
(…)”
(5) RE 4.1 – Guideline 13: Security policy document
In its para. 5 lit. (e), article 10 (Information on the internal control framework and infrastructure) of the draft Regulatory Technical Standards require applicants for a licence as a credit institution to provide “a description of the applicant credit institution’s IT infrastructure, including systems in use and underlying architecture, hosting arrangements, logical and physical protection measures”.
Information required from payment institutions (applicants) with regard to their IT infrastructure and protection measures is far more detailed than those required for credit institutions, although – in our opinion – this is not mandatory according to the PSD2. The respective wording in the Guidelines should therefore be amended.
The respective wording in 4.1 – Guideline 13: Security policy document should therefore be amended as follows:
“b) a description of the IT systems, which should include:
i. the architecture of the systems (delete: and their network elements;)
(Delete: ii. the business IT systems supporting the business activities provided, such as the applicant’s website, wallets, the payment engine, the risk and fraud management engine and customer accounting;)
(Delete: iii. the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers; )
and
iv. information on whether those systems are already used by the applicant (delete: or its group), and the estimated date of implementation, if applicable.
(Delete: c an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection;)
(Delete: d for each of the connections listed under point c), the logical security measures and mechanisms in place, specifying the control the applicant will have over these accesses as well as the nature and frequency of each control, such as technical versus organizational, preventive vs detective; real-time monitoring vs regular reviews, such as the use of an Active Directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus and logs;)
e) the logical security measures and mechanisms that govern the internal access to IT systems, (delete:which should include:)
(Delete: i. the technical and organisational nature and frequency of each measure, such as whether it is preventive or detective or whether or not it is carried out in real time; and)
(Delete: ii. how the issue of client environment segregation is dealt with in cases where the applicant’s IT resources are shared.)
f) the physical security measures
(delete: and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;)
(Delete: g the security of the payment processes, which should include:)
(Delete: i. the customer authentication procedure used for both, consultative and transactional accesses, and for all underlying payment instruments;
ii. an explanations on how the safe delivery to the legitimate payment services user and the integrity of authentication factors such as hardware tokens and mobile application is ensured, at the time of both, initial enrolment time and renewal; and
iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions.)
(…)”
b) Protection of highly sensitive information and documents
The IK is of the opinion that where the PSD2 does not inevitably require applicants and payment institutions to provide sensitive information, the Guidelines should not impose a respective duty on them. Particularly, the provision of detailed sensitive information is not necessarily connected to a significant gain in relevant information that is needed to properly assess the applicants’ internal organisation and their compliance with applicable laws and best practice standards for regulatory purposes.
aa) Re 4.1 – Guideline 11: Business continuity arrangements
(1) Art. 5 (1) lit. h) of PSD2 says that applicants shall submit “a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans”.
This wording does not necessarily require applicants to reveal the confidential parts of those business continuity arrangements that may contain extremely sensitive information.
(2) IK has serious reservations about revealing sensitive and confidential information in business impact analysis, contingency and disaster recovery plans to the supervisory authority. This, however, might become necessary according to the stipulations set out in the Guidelines, even if the wording in 4.1 – Guideline 11 does not explicitly require “copies” but a “description” of business continuity arrangements.
The business impact analysis identifies the critical business processes and resources and therefore necessarily reveals where and how an institution could be hit most badly. Equally, at least parts of the contingency plans for business continuity and the disaster recovery plans will of necessity be confidential.
For this reason these documents and plans are regularly not even given to all staff of a payment institution, but only to the management body and e.g. those people who have disaster recovery responsibilities in order to prevent unauthorized persons from getting in possession of such sensitive information. For example details of the security system, or the home addresses and telephone numbers of other disaster recovery teams will not be given to every staff member. To avoid unauthorized distribution particularly of contingency plans usually a record is kept of who is given a copy. In most cases, those records contain a table of recipients detailing name, department or section, responsibility and number of copies. If a staff member ceases employment then his / her copy must be returned to the disaster recovery coordinator.
(3) IK sees a risk that general precautions as described above cannot be maintained in full as the payment institution has no possibility to impose on the supervisory authority (i) respective duties to keep records of any officers that came into possession of confidential information and (ii) apply other additional safeguards.
What is more, the German Freedom of Information Act has created a legal right of access to official information held by Federal authorities. The Act generally applies to the Bundesanstalt für Finanzdienstleistungsaufsicht (“BaFin”) as it performs administrative functions under public law.
Although the German Freedom of Information Act contains specific provisions regarding the protection business or trade secrets and personal data, there have been, in these past years, a number of disputes and court proceedings where BaFin’s rights to deny access to such information and BaFin’s duties with regard to professional secrecy (see also Art. 24 PSD2) were contested.
The IK is therefore of the opinion that where the PSD2 does not inevitably require applicants and payment institutions to provide sensitive information, the Guidelines should not impose a respective duty on them. Particularly, the provision of detailed sensitive information is not necessarily connected to a significant gain in relevant information that is required in order to properly assess the applicants’ internal organisation and their compliance with regulatory duties.
(4) The respective wording in 4.1 – Guideline 11: Business continuity arrangements should therefore be amended as follows:
“11.1. The applicant should provide a description of the business continuity arrangements consisting of the following information:
(…)
a) (new: a summary of the business impact analysis;)
(delete: a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets;)
(Delete: b the identification of the back-up site, access to IT infrastructure, and its key software and data to recover from a disaster or disruption; )
(…)
(new: For the avoidance of doubt, applicants do not have to submit copies of their business impact analysis and their contingency and disaster recovery plans and do not have to reveal extremely sensitive and confidential data such as (i) details of the offsite storage of records and information and (ii) details of recovery strategies including details regarding people, facilities, equipment, materials and information technology involved in those strategies and workarounds”.)
bb) Re 4.1 – Guideline 13: Security policy document
For the same reasons as set out above (see b)/Protection of highly sensitive information and documents), 4.1 – Guideline 13: Security policy document should be amended as follows. The respective details that the IK suggests to delete are neither mandatory under the PSD2 nor required from applicants for a licence as a credit institution (see already above, 3. a).
“b) a description of the IT systems, which should include:
i. the architecture of the systems (delete: and their network elements;)
(Delete: ii. the business IT systems supporting the business activities provided, such as the applicant’s website, wallets, the payment engine, the risk and fraud management engine and customer accounting;)
(delete iii. the support IT systems used for the organisation and administration of the applicant, such as accounting, legal reporting systems, staff management, customer relationship management, e-mail servers and internal file servers;)
and
iv. information on whether those systems are already used by the applicant or its group, and the estimated date of implementation, if applicable.
(Delete: c an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely, including the rationale for such connection;)
(Delete: d for each of the connections listed under point c), the logical security measures and mechanisms in place, specifying the control the applicant will have over these accesses as well as the nature and frequency of each control, such as technical versus organizational, preventive vs detective; real-time monitoring vs regular reviews, such as the use of an Active Directory separate from the group, the opening/closing of communication lines, security equipment configuration, generation of keys or client authentication certificates, system monitoring, authentication, confidentiality of communication, intrusion detection, antivirus and logs;)
e) the logical security measures and mechanisms that govern the internal access to IT systems, (delete: which should include:)
(Delete: i. the technical and organisational nature and frequency of each measure, such as whether it is preventive or detective or whether or not it is carried out in real time; and)
(delete ii. how the issue of client environment segregation is dealt with in cases where the applicant’s IT resources are shared.)
f) the physical security measures (delete: and mechanisms of the premises and the data centre of the applicant, such as access controls and environmental security;)
(Delete: g the security of the payment processes, which should include:)
(Delete: i. the customer authentication procedure used for both, consultative and transactional accesses, and for all underlying payment instruments;)
(delete ii. an explanations on how the safe delivery to the legitimate payment services user and the integrity of authentication factors such as hardware tokens and mobile application is ensured, at the time of both, initial enrolment time and renewal; and)
(delete iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions.)
(…)”
c) Re 4.1 – Guideline 4: Business plan
aa) Art. 5 (1) (a) PSD2 only requires “a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly”.
4.1 – Guideline 4, however, stipulates that an analysis of the payments market and an analysis of the company’s competitive position are required and that the marketing plan shall also summarize the main conclusions of “any marketing research carried out”. The IK is of the opinion that this does not only substantiate the requirements already set out in the PSD2, but goes beyond the EBA’s mandate.
What is more, the analysis of the company’s competitive position will necessarily be a sensitive, if not highly sensitive, document for most applicants.
bb) Therefore 4.1 – Guideline 4: Business plan should be amended as follows.
“4.1 The business plan to be provided by the applicant should contain:
a) a marketing plan including
(delete:consisting of: )
(Delete: i. an analysis of the payments market; )
(Delete: ii. an analysis of the company’s competitive position; )
iii. a description of clients, marketing materials and distribution channels;
(Delete: iv. the main conclusions of any marketing research carried out.)
(…)”
d) Personal data
In order to maintain a high level of protection of personal data that is in line with applicable data protection law, the IK suggests waiving any requirements to provide personal data of applicant’s staff where this is not explicitly required under PSD2.
c) Information required from payment institutions already in possession of a licence
aa) The transitional provision in Art. 109 of PSD2 states that Member States shall allow payment institutions that have taken up activities in accordance with the national law transposing Directive 2007/64/EC by 13 January 2018, to continue those activities under a grandfathering provision. Yet, such payment institutions must submit all relevant information to the competent authorities in order to allow the latter to assess, by 13 July 2018, whether those payment institutions comply with the requirements laid down in Title II PSD2.
Given that, the IK believes that most likely, the Guidelines will not only be relevant for new applicants, but also for payment institutions already in possession of a respective licence.
bb) In contrast to new applicants, however, the competent supervisory authorities already are in possession of comprehensive information and documentation regarding payment institutions that already have a licence and therefore are already subject to supervision. What is more already licenced payment institutions must have internal control procedures, particularly an internal audit, in place and are also subject to regular or, as the case may be, ad hoc examinations and assessments by external auditors.
Against this background, the IK would highly appreciate if the EBA would include a respective statement in the Guidelines as follows:
“Where information and documents as set out in these Guidelines are required from payment institutions that are already in possession of a respective licence according to the national law transposing Directive 2007/64/EC in order to assess their compliance with the requirements laid down in Title II PSD2, only those documents and information must be provided that has not yet been provided to the supervisory authority before.
Where a payment institution applies for an extended licence only those documents and information must be provided that have not yet been provided to the supervisory authority before. Where, however, the competent supervisory authority deems it to be necessary that the applicant for an extended licence provides updated information with regard to those documents and information that has been provided to the supervisory authority before, the applicant may fulfill such requirement by issuing a statement that the information previously delivered is still true and correct. Generally, information and documentation that has been submitted not more than 12 months ago should be regarded as still being up to date, unless there are indications to the contrary (e.g. because the applicant does not confirm, in the applicant’s aforementioned statement, that the respective information is still true and correct).”