Związek Banków Polskich / Polish Bank Association

Yes, we agree, however, we would like to express our concerns regarding some provisions of Guideline 3. We are of the opinion, that daily statistics of the ASPSP’s interfaces (i.a. electronic banking, mobile banking etc) are commercially sensitive data and once published could be used in an inappropriate way, eg. as the evidence showing the results of cyberattacks to their makers. Daily statistics should be presented in the percentage values and be available to the relevant Competent Authority only.
Additionally, we would like to note that reports should be based on quarterly calculations as more credible than the 24-hour reporting period. Short term reports could be affected by false results, eg. by intentional overloading an API.
Referring to the Guideline 2.3 c (and to the 6.2. f) we would like to note that confirmation of availability of funds, based on provisions of the PSD2 (Article 65 1. (c)), should be preceded by payer’s explicit consent given to the ASPSP. The directive also gives the right to use this specific service (confirmation of availability of funds) to the payment service provider issuing card-based payment instruments (CBPII) and not to the payment initiation service provider (PISP). It could lead to the breach of the directive.
Yes, we agree.
Yes, we agree.
Yes, we agree. We also welcome the EBA’s approach to the ‘redirection’ method, described in the Consultation Paper. Polish Bank Association is of the opinion that ‘redirection’, properly implemented, is the best and the most secure solution for authentication procedures.
Yes, we agree. We would like to point out that it is worth to mention in the Guidelines that SLA for the testing environment differs from production or live environment.
Yes, we agree.
Yes, we agree.
Yes, we agree.
Yes, we agree. However, we would like to stress that the time available for ASPSPs to adapt their dedicated interfaces to the final version of these Guidelines is very short. Equally important is fact that the period for Competent Authorities to assess implementations of the dedicated interfaces by the ASPSPs is also limited. There is a high risk of exceeding the deadline despite the pragmatic approach of the EBA expressed in Guideline 9.3.
Yes, we agree and believe that the level of detail is sufficient.
Maciej Kostro