In the Netherlands there are measures and metrics, set forth in rules and regulations implemented by law and in supervisory policies, aimed at guaranteeing the availability of core payment infrastructures. We assume that the dedicated interfaces provided by ASPSPs in the Netherlands will be deemed part of these core payment infrastructures. Therefore, we assume that these EBA guidelines do not outweigh national supervisory practice and supervisory requirements as already set forth in national regulations, i.e. it should be sufficient to follow existing supervisory practice in fulfilling these EBA Guidelines. With that in mind we have interpreted and reviewed the draft guidelines.
This approach then eliminates the need for a distinction between planned and unplanned downtime. In our opinion the definition of “planned downtime” is a difficult one, prone to measurement errors and potential loopholes. For example if an ASPSP decides that it will bring down its internet banking environment in a quarter of an hour from now, as it sees upcoming problems, can this be considered “planned” or not. Furthermore from a customer’s experience point of view it does not matter whether the downtime is planned or unplanned.
The proposed approach is in line with article 33.1 of the RTS on SCA and CSC insofar it relates to availability.
Considering performance statistics we believe that this is very time consuming and challenging to implement (response time, accuracy of information). We believe that availability statistics could suffice. Furthermore each PSP should only be held responsible for the performance and availability of components, in its own domain, i.e. excluding the availability or performance of the intermediary infrastructure – such as the internet and other interfaces – between the PSU and the PSP. We also want to refer to our general comment above.
On the publishing of statistics we believe that quarterly figures and averages suffice, i.e. without a breakdown of daily figures. The RTS on SCA and CSC (article 32 sub 4) do not require the reporting of daily statistics. The impact of providing daily figures is disproportionate to the value of the added detail. Furthermore, it would hinder the view of market participants as to what is evidently important to them: is there sufficient availability during primetime? For these reasons, we would strongly recommend the EBA not to pursue this breakdown into daily figures.
The terms used in GL 4, like ‘Extremely high number of requests’, ‘high number of concurrent sessions’ and ‘heavy loads’ are in our opinion too subjective. We believe that this should be covered in the existing Business Continuity Management (BCM) stress testing frameworks and implementations of the ASPSPs. It is a common practice to apply stress testing, in general much more extensive than GL4 suggests, before going live and these procedures are supervised by the NCA. Rationale 29 mentions this as well. Therefore we suggest EBA to remove GL 4.2. and adapt GL 4.3 as follows: “The ASPSP should provide to the competent authority a summary of the results of their regular BCM stress testing frameworks as applied before clearing the dedicated interface for real live usage, including but not limited to any weaknesses or issues identified and confirmation that these have been addressed.”
We also refer to our general comment mentioned previously.
This is in our opinion in correspondence with the usual business practice of PSPs. Our interpretation is such that monitoring by the CA does not influence the requirements for granting an exemption to an ASPSP.
Yes, we agree.
Rationale 58 states that the PISPs/AISPs/CBPIIs are not obliged to undertake tests for the dedicated interfaces of ASPSPs. This might be legally correct, however it might impact the PSUs experience with the PISPs/AISPs/CBPIIs and therefore the perceived customer relationship with the ASPSP. Has this been foreseen by EBA and how does EBA consider the possible negative impact for the ASPSP? We would like EBA to elaborate on this point.
GL 6.2 b mentions the ability to exchange certificates for electronic seals AND qualified web authentication certificates. However, Article 34 of the RTS states that ‘payment service providers shall rely on qualified certificates for electronic seals as referred to in Article 3(30) of Regulation (EU) No 910/2014 OR for website authentication as referred to in Article 3(39) of that Regulation.’ We would suggest following the RTS to keep this requirement consistent, or, if the chosen wording is intentional, explain and clarify this difference.
Yes, we agree.
Yes we agree to the extent that this is common supervisory practice. We see no reason to intensify supervision on this subject and we refer to our general remark mentioned previously.
We support the pragmatic approach in the interest of a good customer journey and importance of the speed of implementation to a certain extent.
Rationale 64 raises concerns. Mentioned is that CAs decide how and in which form information of ASPSPs is delivered to the CAs to do their exemption assessment. The Dutch Payments Association is of the opinion that this could lead to fragmentation among Member States, in particular for PSPs that are active in several Member States, which could and should be avoided by uniform CA information requirements and process.
Furthermore the Dutch Payment Association and its members would like to have confirmed that an exemption granted by the CA in the Home Member State (in our case the Dutch Central Bank)
(i) can be passported throughout Europe and
(ii) without any host Member State being able to impose further requirements.
No, we don't.
Yes, we believe the level of detail is sufficient and appropriate, given our standpoint as described in our general remark made previously.