PKO Bank Polski SA

1. PKO Bank Polski feels concerned that publishing KPI’s and quarterly statistics on availability and performance of ASPSPs brings a new risk of this data being used by others to carry out, for example an attack on the host and evaluation of effectiveness of these attacks.
2. Additionally in paragraph 24 it is stated that CA should check the highest level of availability of any of the best performing PSU interfaces – according to the RTS on SCA the availability of users interface should not be worse than for clients of given ASPSP, not the best one possible.
3. Due to the fact that in majority of cases the mobile channel is a channel with lower usability in relation to the basic channel (which is online banking) in PKO Bank Polski view mobile channel does not indicate the availability of electronic banking for PSU. This is defined by the availability of the “master” channel, i.e. online banking. Therefore it is recommended to take into account the availability indicators of the selected channel, i.e. internet banking (unless that ASPSP is mobile-only).
The level of detail seems insufficient specifically in the issue of how TPPs should identify themselves towards ASPSP before they start using fall back mechanism. PKO Bank Polski recommends that EBA or National Competent Authority should specify to the level of technical documentation the mechanism for TPP identity presentation towards ASPSP while using the fall back option. This should be prepared in time to implement the mechanism, if the waiver for not using fall back option is received, taking into account the dates required by RTS on SCA (i.e. March 2019 would be the latest preferable date).
Michal Oledzki