Response to consultation on the Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)

Go back

Question 1: Do you agree with the EBA’s assessments on KPIs and the calculation of uptime and downtime and the ASPSP submission of a plan to publishing statistics, the options that EBA considered and progressed or discarded, and the requirements proposed in Guideline 2 and 3? If not, please provide detail on other KPIs or calculation methods that you consider more suitable and your reasoning for doing so.

Yes, we agree, however, we would like to express our concerns regarding some provisions of Guideline 3. We are of the opinion, that daily statistics of the ASPSP’s interfaces (i.a. electronic banking, mobile banking etc) are commercially sensitive data and once published could be used in an inappropriate way, eg. as the evidence showing the results of cyberattacks to their makers. Daily statistics should be presented in the percentage values and be available to the relevant Competent Authority only.
Additionally, we would like to note that reports should be based on quarterly calculations as more credible than the 24-hour reporting period. Short term reports could be affected by false results, eg. by intentional overloading an API.
Referring to the Guideline 2.3 c (and to the 6.2. f) we would like to note that confirmation of availability of funds, based on provisions of the PSD2 (Article 65 1. (c)), should be preceded by payer’s explicit consent given to the ASPSP. The directive also gives the right to use this specific service (confirmation of availability of funds) to the payment service provider issuing card-based payment instruments (CBPII) and not to the payment initiation service provider (PISP). It could lead to the breach of the directive.

Question 2: Do you agree with the EBA’s assessments on stress testing and the options it considered and progressed or discarded, and the requirements proposed in Guideline 4? If not, please provide your reasoning.

Yes, we agree.

Question 3: Do you agree with the EBA’s assessments on monitoring? If not, please provide your reasoning.

Yes, we agree.

Question 4: Do you agree with the EBA’s assessments on obstacles, the options it considered and progressed or discarded, and the requirements proposed in Guideline 5? If not, please provide your reasoning.

Yes, we agree. We also welcome the EBA’s approach to the ‘redirection’ method, described in the Consultation Paper. Polish Bank Association is of the opinion that ‘redirection’, properly implemented, is the best and the most secure solution for authentication procedures.

Question 5: Do you agree with the EBA’s assessments for design and testing, the options it considered and progressed or discarded, and the requirements proposed Guideline 6? If not, please provide your reasoning.

Yes, we agree. We would like to point out that it is worth to mention in the Guidelines that SLA for the testing environment differs from production or live environment.

Question 6: Do you agree with the EBA’s assessment for ‘widely used’, the options it considered and discarded, and the requirements proposed Guideline 7? If not, please provide your reasoning.

Yes, we agree.

Question 7: Do you agree with the EBAs assessment to use the service level targets and statistical data for the assessment of resolving problems without undue delay, the options it discarded, and the requirements proposed Guideline 8? If not, please provide your reasoning.

Yes, we agree.

Question 8: Do you agree with the proposed Guideline 9 and the information submitted to the EBA in the Assessment Form in the Annex? If not, please provide your reasoning.

Yes, we agree.

Question 9: Do you have any particular concerns regarding the envisaged timelines for ASPSPs to meet the requirements set out in these Guidelines prior to the September 2019 deadline, including providing the technical specifications and testing facilities in advance of the March 2019 deadline?

Yes, we agree. However, we would like to stress that the time available for ASPSPs to adapt their dedicated interfaces to the final version of these Guidelines is very short. Equally important is fact that the period for Competent Authorities to assess implementations of the dedicated interfaces by the ASPSPs is also limited. There is a high risk of exceeding the deadline despite the pragmatic approach of the EBA expressed in Guideline 9.3.

Question 10: Do you agree with the level of detail set out in the draft Guidelines as proposed in this Consultation Paper or would you have expected either more or less detailed requirements on a particular aspect? Please provide your reasoning.

Yes, we agree and believe that the level of detail is sufficient.

Name of organisation

Związek Banków Polskich / Polish Bank Association