Swedish Bankers' Association

Below are the views of the Swedish Bankers’ Association (SBA) to the consultation. In addition to answering all the below questions, we present initially a few more general comments on the consultation paper.

GENERAL COMMENTS

In the executive summary first paragraph fourth sentence should read “payment initiation services…”, not payment information services.

Chapter 4.1.24 – suggests rewording from instigated" to "initiated".

Guideline 2.1 – should read “the same service level objectives and targets, out of hours support, monitoring and contingency plans for the dedicated interface as it has in place for the interface(s) used by its own payment service users”.

ANSWER TO QUESTION 1

The SBA supports the EBA’s assessment to not set numerical figures for the Key Performance Indicators (KPI) for the individual roles of the PSPs. There is also a need to ensure that any form of manipulation where for instance an external party has deliberately overloaded an API, this should be included in the unplanned downtime parameter in both 2.2(c) and 2.4(b).

In 3.1(a) we have concerns with the publication of daily performance statistics, if a bank would be exposed to for instance a Distributed Denial of Service (DDoS) attack; the effects of such an attack would then be included in the publication. The cybercriminals behind the attack are then able to evaluate the success of their actions and adapt their processes thereafter. Therefore the published data period should be adapted to limit these risks.

Furthermore we also agree with the EBA that the CA should check that the dedicated interface matches the highest level of availability of any of the ASPSP’s best performing PSU interface. However, concerning Guideline 3.1(b) it is in general difficult to compare the usage pattern of a PSU with the usage pattern of an AISP as these roles have two fundamentally different usage patterns. Further, some product channels are not comparable between a PSU and PSP."
In general the SBA agrees with the assessment and in particular we believe that stress tests should only be conducted by the ASPSP and only once when applying for the fallback exemption or to reactivate it in case it was revoked.
The SBA agrees with the EBA’s assessments.
We agree with the EBA’s assessment. However the consent for PIISP services is established between the ASPSP and the PSU and therefore the consent management for PIISP services is solely handled within the sphere of the ASPSP.
The SBA agrees with the EBA’s assessments.
The SBA appreciates the clarification that the activities of ASPSP’s should be included in the assessment of “widely used”, but we suggest that publications on the ASPSPs’ websites or channels should be sufficient.

Furthermore, the problem regarding the lack of CBPII actors in the specific markets – how should a CA and an ASPSP act if there are no CBPIIs operating in their member state?
The SBA agrees with the EBA’s assessments.
The SBA agrees with the EBA’s assessment. However we believe it should be clarified that exemption process can be invoked separately for different API: s serving different client groups, such as retail vs. corporate customers as well as different countries, as these may reside in different systems and have different timelines as well as complexity on availability.
The SBA have concerns with the already tight timelines based on the RTS, however adding additional requirements for the testing facilities, e.g. exchange of qualified certificates, will increase the challenge to meet the timeline of March 2019.
As mentioned in our response to question 8 above the SBA would have expected more information on whether the exemption covers all services/customer segments/countries or only a specific service/customer segment/country. To ensure that an exemption can be granted this should be separated in the approval process.
Yes
lars.rutberg@swedishbankers.se
Lars Rutberg
+46705558418
Yes