Response to consultation on the Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)
Go back
GENERAL COMMENTS
In the executive summary first paragraph fourth sentence should read “payment initiation services…”, not payment information services.
Chapter 4.1.24 – suggests rewording from instigated" to "initiated".
Guideline 2.1 – should read “the same service level objectives and targets, out of hours support, monitoring and contingency plans for the dedicated interface as it has in place for the interface(s) used by its own payment service users”.
ANSWER TO QUESTION 1
The SBA supports the EBA’s assessment to not set numerical figures for the Key Performance Indicators (KPI) for the individual roles of the PSPs. There is also a need to ensure that any form of manipulation where for instance an external party has deliberately overloaded an API, this should be included in the unplanned downtime parameter in both 2.2(c) and 2.4(b).
In 3.1(a) we have concerns with the publication of daily performance statistics, if a bank would be exposed to for instance a Distributed Denial of Service (DDoS) attack; the effects of such an attack would then be included in the publication. The cybercriminals behind the attack are then able to evaluate the success of their actions and adapt their processes thereafter. Therefore the published data period should be adapted to limit these risks.
Furthermore we also agree with the EBA that the CA should check that the dedicated interface matches the highest level of availability of any of the ASPSP’s best performing PSU interface. However, concerning Guideline 3.1(b) it is in general difficult to compare the usage pattern of a PSU with the usage pattern of an AISP as these roles have two fundamentally different usage patterns. Further, some product channels are not comparable between a PSU and PSP."
Furthermore, the problem regarding the lack of CBPII actors in the specific markets – how should a CA and an ASPSP act if there are no CBPIIs operating in their member state?
Question 1: Do you agree with the EBA’s assessments on KPIs and the calculation of uptime and downtime and the ASPSP submission of a plan to publishing statistics, the options that EBA considered and progressed or discarded, and the requirements proposed in Guideline 2 and 3? If not, please provide detail on other KPIs or calculation methods that you consider more suitable and your reasoning for doing so.
Below are the views of the Swedish Bankers’ Association (SBA) to the consultation. In addition to answering all the below questions, we present initially a few more general comments on the consultation paper.GENERAL COMMENTS
In the executive summary first paragraph fourth sentence should read “payment initiation services…”, not payment information services.
Chapter 4.1.24 – suggests rewording from instigated" to "initiated".
Guideline 2.1 – should read “the same service level objectives and targets, out of hours support, monitoring and contingency plans for the dedicated interface as it has in place for the interface(s) used by its own payment service users”.
ANSWER TO QUESTION 1
The SBA supports the EBA’s assessment to not set numerical figures for the Key Performance Indicators (KPI) for the individual roles of the PSPs. There is also a need to ensure that any form of manipulation where for instance an external party has deliberately overloaded an API, this should be included in the unplanned downtime parameter in both 2.2(c) and 2.4(b).
In 3.1(a) we have concerns with the publication of daily performance statistics, if a bank would be exposed to for instance a Distributed Denial of Service (DDoS) attack; the effects of such an attack would then be included in the publication. The cybercriminals behind the attack are then able to evaluate the success of their actions and adapt their processes thereafter. Therefore the published data period should be adapted to limit these risks.
Furthermore we also agree with the EBA that the CA should check that the dedicated interface matches the highest level of availability of any of the ASPSP’s best performing PSU interface. However, concerning Guideline 3.1(b) it is in general difficult to compare the usage pattern of a PSU with the usage pattern of an AISP as these roles have two fundamentally different usage patterns. Further, some product channels are not comparable between a PSU and PSP."
Question 2: Do you agree with the EBA’s assessments on stress testing and the options it considered and progressed or discarded, and the requirements proposed in Guideline 4? If not, please provide your reasoning.
In general the SBA agrees with the assessment and in particular we believe that stress tests should only be conducted by the ASPSP and only once when applying for the fallback exemption or to reactivate it in case it was revoked.Question 3: Do you agree with the EBA’s assessments on monitoring? If not, please provide your reasoning.
The SBA agrees with the EBA’s assessments.Question 4: Do you agree with the EBA’s assessments on obstacles, the options it considered and progressed or discarded, and the requirements proposed in Guideline 5? If not, please provide your reasoning.
We agree with the EBA’s assessment. However the consent for PIISP services is established between the ASPSP and the PSU and therefore the consent management for PIISP services is solely handled within the sphere of the ASPSP.Question 5: Do you agree with the EBA’s assessments for design and testing, the options it considered and progressed or discarded, and the requirements proposed Guideline 6? If not, please provide your reasoning.
The SBA agrees with the EBA’s assessments.Question 6: Do you agree with the EBA’s assessment for ‘widely used’, the options it considered and discarded, and the requirements proposed Guideline 7? If not, please provide your reasoning.
The SBA appreciates the clarification that the activities of ASPSP’s should be included in the assessment of “widely used”, but we suggest that publications on the ASPSPs’ websites or channels should be sufficient.Furthermore, the problem regarding the lack of CBPII actors in the specific markets – how should a CA and an ASPSP act if there are no CBPIIs operating in their member state?