Response to consultation on the Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)

Go back

Question 1: Do you agree with the EBA’s assessments on KPIs and the calculation of uptime and downtime and the ASPSP submission of a plan to publishing statistics, the options that EBA considered and progressed or discarded, and the requirements proposed in Guideline 2 and 3? If not, please provide detail on other KPIs or calculation methods that you consider more suitable and your reasoning for doing so.

Below are the views of the Swedish Bankers’ Association (SBA) to the consultation. In addition to answering all the below questions, we present initially a few more general comments on the consultation paper.

GENERAL COMMENTS

In the executive summary first paragraph fourth sentence should read “payment initiation services…”, not payment information services.

Chapter 4.1.24 – suggests rewording from instigated" to "initiated".

Guideline 2.1 – should read “the same service level objectives and targets, out of hours support, monitoring and contingency plans for the dedicated interface as it has in place for the interface(s) used by its own payment service users”.

ANSWER TO QUESTION 1

The SBA supports the EBA’s assessment to not set numerical figures for the Key Performance Indicators (KPI) for the individual roles of the PSPs. There is also a need to ensure that any form of manipulation where for instance an external party has deliberately overloaded an API, this should be included in the unplanned downtime parameter in both 2.2(c) and 2.4(b).

In 3.1(a) we have concerns with the publication of daily performance statistics, if a bank would be exposed to for instance a Distributed Denial of Service (DDoS) attack; the effects of such an attack would then be included in the publication. The cybercriminals behind the attack are then able to evaluate the success of their actions and adapt their processes thereafter. Therefore the published data period should be adapted to limit these risks.

Furthermore we also agree with the EBA that the CA should check that the dedicated interface matches the highest level of availability of any of the ASPSP’s best performing PSU interface. However, concerning Guideline 3.1(b) it is in general difficult to compare the usage pattern of a PSU with the usage pattern of an AISP as these roles have two fundamentally different usage patterns. Further, some product channels are not comparable between a PSU and PSP."

Question 2: Do you agree with the EBA’s assessments on stress testing and the options it considered and progressed or discarded, and the requirements proposed in Guideline 4? If not, please provide your reasoning.

In general the SBA agrees with the assessment and in particular we believe that stress tests should only be conducted by the ASPSP and only once when applying for the fallback exemption or to reactivate it in case it was revoked.

Question 3: Do you agree with the EBA’s assessments on monitoring? If not, please provide your reasoning.

The SBA agrees with the EBA’s assessments.

Question 4: Do you agree with the EBA’s assessments on obstacles, the options it considered and progressed or discarded, and the requirements proposed in Guideline 5? If not, please provide your reasoning.

We agree with the EBA’s assessment. However the consent for PIISP services is established between the ASPSP and the PSU and therefore the consent management for PIISP services is solely handled within the sphere of the ASPSP.

Question 5: Do you agree with the EBA’s assessments for design and testing, the options it considered and progressed or discarded, and the requirements proposed Guideline 6? If not, please provide your reasoning.

The SBA agrees with the EBA’s assessments.

Question 6: Do you agree with the EBA’s assessment for ‘widely used’, the options it considered and discarded, and the requirements proposed Guideline 7? If not, please provide your reasoning.

The SBA appreciates the clarification that the activities of ASPSP’s should be included in the assessment of “widely used”, but we suggest that publications on the ASPSPs’ websites or channels should be sufficient.

Furthermore, the problem regarding the lack of CBPII actors in the specific markets – how should a CA and an ASPSP act if there are no CBPIIs operating in their member state?

Question 7: Do you agree with the EBAs assessment to use the service level targets and statistical data for the assessment of resolving problems without undue delay, the options it discarded, and the requirements proposed Guideline 8? If not, please provide your reasoning.

The SBA agrees with the EBA’s assessments.

Question 8: Do you agree with the proposed Guideline 9 and the information submitted to the EBA in the Assessment Form in the Annex? If not, please provide your reasoning.

The SBA agrees with the EBA’s assessment. However we believe it should be clarified that exemption process can be invoked separately for different API: s serving different client groups, such as retail vs. corporate customers as well as different countries, as these may reside in different systems and have different timelines as well as complexity on availability.

Question 9: Do you have any particular concerns regarding the envisaged timelines for ASPSPs to meet the requirements set out in these Guidelines prior to the September 2019 deadline, including providing the technical specifications and testing facilities in advance of the March 2019 deadline?

The SBA have concerns with the already tight timelines based on the RTS, however adding additional requirements for the testing facilities, e.g. exchange of qualified certificates, will increase the challenge to meet the timeline of March 2019.

Question 10: Do you agree with the level of detail set out in the draft Guidelines as proposed in this Consultation Paper or would you have expected either more or less detailed requirements on a particular aspect? Please provide your reasoning.

As mentioned in our response to question 8 above the SBA would have expected more information on whether the exemption covers all services/customer segments/countries or only a specific service/customer segment/country. To ensure that an exemption can be granted this should be separated in the approval process.

Name of organisation

Swedish Bankers' Association