Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2
Go back
With regard to the requirement of reviews “at least on an annual basis”, we would like to point out that short-term or seasonal peaks, which may occur for certain indicators, should not require an immediate adjustment of the minimum monetary amount. That is why we assume, that only if increasing amounts of certain indicators can be connected to actual, i.e. sustainable, growth of the PISP/AISP, the duty to inform CAs applies (Art. 16 of PSD2 in conjunction with rationale 24 of the EBA consultation paper on PII). The latter case would also imply a need for re-calculation of the minimum amount within periods of less than a year.
Due to divers reasons outlined in detail below (see Question 7), we do not expect a lot of insurance companies to offer PII policies for PISP/AISP. Given a highly probable possibility that policies must be re-negotiated within periods of less than a year the attractiveness of this product for insurers would even decrease further.
We kindly encourage EBA to at least mitigate 9.1 of the EBA Guidelines on PII by providing the CAs - and indirectly the undertakings - with some room for an assessment of the sustainability of any newly increased amounts.
Although we understand the need for flexibility in a still growing market, from the perspective of a future PISP/AISP and based on our first discussions with the insurance market, we actually see that PISP/AISP would highly benefit from a certainty of a required fixed (instead of “at least”) annual basis for the review of the minimum monetary amount.
In general we have to stress that the distinction between PISP and AISP should be pursued more consequently. The proposed formula requires companies that apply for both services to calculate the minimum monetary amount for the PISP and for the AISP accordingly and to sum up the results for an overall minimum monetary amount.
We encourage the EBA to propose two separate insurance policies or at least independent validities for both coverages. This would generate more certainty for insurer and insured undertakings. A possible withdrawal by regulators of the authorisation for one service does not necessarily lead to the withdrawal of the other. The same applies for the decision by an undertaking to forgo one field of activity. In both cases, two separate insurance policies/independent coverages would only lead to termination consequences for one of them.
The relevant provision is guideline 6.3 of the EBA Guidelines on PII should thus be changed accordingly. We propose as follows: “If an undertaking that applies for authorisation to provide PIS also applies for registration to provide AIS, or if an undertaking that applies for registration to provide AIS also applies for authorisation to provide PIS, competent authorities should calculate the minimum monetary amount separately for each service, i. e. calculate amounts reflective of all criteria for provision of AIS and PIS separately. Competent authorities should accept separate policies or otherwise provided independent coverages by undertakings applying for both services.”
The EBA should consider that there is no established post PSD2-practice in the PISP/AISP sector yet. This might lead to a significant amount of unjustified claims that - considering the current draft of 5.1 of the EBA Guidelines on PII - would increase the proposed indicator accordingly. In our opinion only the subset of claims that eventually led to compensations paid by the undertakings should be considered in order not to discriminate against undertakings that are faced with significant amounts of groundless claims.
(B) AIS/PIS-indicator: “Geographical location of the undertaking”:
We would like the EBA to consider the following aspects with regard to this indicator:
- We assume that “provide services [...] in other countries outside the European Union” (see 5.6 of the EBA Guidelines on PII) does not apply as long as only EU-payment accounts are accessed, independently from the actual location and/or domicile of the PSU. We kindly ask the EBA to object, if it takes another view.
- Also we assume that the term “provide services not only in EU” does only refer to regulated payment services similar to the PSD2 scope, as 5.7 of the EBA Guidelines on PII considers foreign similar PII/guarantees in non-EU countries an alternative to adding the value of EUR 50.000. Thus merely providing non-regulated IT infrastructure/outsourcing services outside the EU is not to be considered for this indicator. Again, we kindly ask the EBA to object, if it takes another view.
- In general, the EBA should consider a risk-based approach that allows to reflect some ratio, instead of just adding the value of EUR 50.000 to the minimum monetary amount for any non-EU business. Currently the same amount is considered for undertakings that do 90 % of their business outside the EU as well as for undertakings that only do 1 % of non-EU business. We therefore propose a gradual approach depending on the percentage of revenue that is generated from non-EU business, e.g. each 10 % of revenue that is generated outside the EU adds EUR 10.000 to the minimum monetary amount. This results in the positive effect that undertakings that are engaged in only a single non-EU contract are not unnecessarily hindered. As the initial steps of non-EU expansion do not have an immediate impact on the minimum monetary amount.
(C) PIS-indicator: “Number of contracts with the undertaking applying for authorisation to provide PIS”:
Based on the definition of the term “contract” in chapter 2, No. 13 of the EBA Guidelines on PII as well as on our specific business model, we assume that we would consider our non-regulated B2B business partners acting as payees as well as so-called Payment Feature Providers (see detailed description below) to count the “number of contracts”. We kindly ask the EBA to object, if it takes another view.
(D) PIS-indicator: “Number of initiated payment transactions by undertakings applying for authorisation to provide PIS”:
We would like the EBA to consider the following aspects with regard to this indicator and kindly encourage the EBA to oppose our following interpretations, if necessary:
- Relevant contract models: We would like to underline that one PSU can use a Banking Service Provider such as figo GmbH (figo) in various constellations (see detailed business model description below). According to our current understanding we would only count the PSUs for this indicator in cases of figo acting in a contract model based on its own PISP license and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for licensed PISPs. The latter includes ASPSPs offering PIS.
- Considering standing orders: figo also enables the technical feature for PSUs to create new standing orders at their ASPSP. This feature appears e.g. in a third party multibanking front-end. When the PSD2 was finalised, this use case for open banking was not explicitly considered. Provided that this feature can be carried on as part of the XS2A interfaces and based on the risk-rationales of the PII’s minimum monetary amount we would propose to count the creation of standing orders as ‘one initiated payment’. That is speaking from the perspective of a licensed PISP offering this feature as part of a B2B contract model with a non-regulated Payment Feature Provider (see detailed business model description below). This results from the fact that any periodic transactions following after the one-time creation of a standing order are initiated and processed by the ASPSP without any further influence by the PISP..
(E) AIS-indicator: “Number of different payment accounts accessed by undertakings applying for registration to provide AIS”:
In order to count the number for this indicator in practise, it is necessary to establish a common understanding of the term “payment account” by providing an appropriate demarcation to accounts not covered by the PSD2-scope (see detailed business model description below for further input on our services beyond the PSD2 limitations).
In order to avoid any differing of national CA’s approaches, which could hinder the envisaged EU level playing field, we propose an official comment by the EBA (as part of the guidelines or at least their rationales) to help with an operative interpretation of the high-level PSD2 definition of the term “payment account” acc. to Art. 4 No. 12 of the PSD2, namely with regard to certain borderline cases. From our point of view, a clear demarcation line is not even derivable based on excluding all accounts for which the connection of a reference account is necessary. A subset of these accounts (such as certain credit card accounts or Paypal accounts) allow to hold credit balances or to connect more than one reference account, which results in possible online credit transfers to be initiated from these accounts.
The simple calculation of this one PII indicator for AISP shows the complexity that results from differing “payment account” interpretations within the EU. Additional problems are expected with regard to a hindered EU level playing field for the necessity of bilateral agreements to access non-payment accounts, i.e. beyond PSD2-accounts, in a legally watertight way (see also our detailed business model description below).
- Most importantly, the EBA should consider a risk-based approach that allows to reflect some ratio, instead of just adding the value of EUR 50.000 to the minimum monetary amount for any “business other than providing payment services as referred to in Annex I of the PSD2” (other business). Currently the same amount is considered for undertakings whose other business results in 90 % of their overall revenue as well as for undertakings which are only engaged in a single other business contract. We therefore propose a gradual approach depending on the percentage of revenue that is generated from other business, e.g. each 10 % of revenue that is generated from the other business adds EUR 10.000 to the minimum monetary amount. This results in the positive effect that undertakings which are engaged in only a single other business contract are not unnecessarily hindered and the initial steps of expansion into other business fields do not have an immediate impact on the minimum monetary amount.
- Secondly, our current understanding is that ASPSPs that are credit institutions and that intend to provide payment services do not need to “obtain authorisation as a payment institution” based on the exemption provided by Art. 11 Para. 1 in conjunction with Art. 1 Para. 1 lit. a) of PSD2. If this group intends to provide PIS and/or AIS, they do not need to provide their CA with a PII/comparable guarantee, as this would only be a required part of their redundant PISP/AISP-license/registration application. Or, in other words, all those companies that can be subsumed under the exemptions of Art. 11 Para. 1 of PSD2 (i.e. are stated in Art. 1 Para. 1 lit. a), b), c), e), f)) do not need to hold the PII/comparable guarantee in order to provide PIS and/or AIS. At first sight, this seems to be consistent, as they are obliged to certain requirements with regard to their own funds and the PII was established as a more proportionate means for PISPs/AISPs that do not hold clients funds. On the other hand, the draft of 6.4 of the EBA Guidelines on PII clarifies that payment institutions according to Art. 1 Para. 1 lit. d) of PSD2, that next to providing PIS and/or AIS are providing other payment services than referred to in Annex I No. 7 and 8 of the PSD2, do need to provide CAs with the PII/comparable guarantee as they are not excluded from this obligation on the basis of Art. 11 Para. 1 of the PSD2. That is although the latter group is also obliged to certain own funds requirements. We do not comprehend the unequal treatment of the described groups of undertakings both intending to provide PIS/AIS and both faced with own funds requirements and would like the EBA to provide us with some justification in that regard. Even if - with a final PSD2 - the EBA might lack ways and means to change the overall requirement of an PIS/AIS-authorisation for the outlined group of payment institutions, it should at least consider this apparent imbalance with regard to considering own funds requirements for the activity criterion. In particular as from the perspective of an undertaking which will definitely have to provide the CA with a PII/comparable guarantee as part of its PISP/AISP application, we currently see some market barrier potential for PISP/AISP, resulting from a possible lack of availability of appropriate products, offered by the insurance market (for more details please see our response to Question 7 of the consultation input on hand). From our point of view this overall drafted concept as of today could lead to a competitive advantage for ASPSPs which intend to provide PIS/AIS compared to other PISPs/AISPs.
With regard to the indicator of total value of all transactions we would like to point out two concerns:
- Calculation of values of transactions in non-EUR currencies: Our understanding is that, e.g. if a PISP is located in an EUR-zone member country, but also initiates payments in member states where the official currency is other than EUR, it would gather the data for each currency separately and convert the resulting sum at the end of each 12 months period into EUR using an average exchange rate for that period. If so, the EBA might want to propose an appropriate reference exchange rate for PISPs to use.
- Relevant contract models: Again, we would like to underline that one PSU can use a Banking Service Provider such as figo in various constellations (see detailed business model description below). According to our current understanding we would only count the value of initiated payments for this indicator in cases of figo acting in a contract model based on its own PISP license and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for licensed PISPs, incl. ASPSPs offering PIS. If the EBA takes a different view it may object.
- Provided that our standing order feature can be carried on as part of the XS2A interfaces and based on the risk-rationales of the PII’s minimum monetary amount we would propose to cover the creation of standing orders as ‘one initiated payment’, i.e. would consider the “one-time value” as part of the total value indicator (please compare to our response reg. Question 3). We kindly ask the EBA to object, if it takes another view.
(B) AIS-indicator: Number of clients that made use of the service in the last 12 months
With regard to this indicator, we would like to point out various clarifications and/or concerns and kindly encourage the EBA to oppose our following interpretations, if necessary:
- Based on the definition of “client” as part of chapter 2, No. 13 of the EBA Guidelines on PII we generally assume for our purposes that this indicator is used to count PSUs (end-users) and our B2B-contract relationship partner, i.e. non-PSD2-regulated Data Benefit Providers (= charged B2B-service), who only make use of the AIS-data for a user-friendly feature of their actual product range (see our business model description below for further details).
Also for the purposes of this indicator, we would like to underline that one PSU can use us in various constellations (see detailed business model description below). According to our current understanding we would only count the PSUs for this indicator in cases of figo acting in a contract model based on its own AISP registration and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for registered AISPs. The latter includes ASPSPs offering AIS.
- Moreover, the provided definition of “clients” from our point of view implies that if a PSU uses figo to deliver his account data to different subjects, i.e. divers Data Benefit Providers, the number of clients within the meaning of this indicator would be identical with the number of used subjects.
- Another question is which actual set of data should be used to determine the number of clients. This is especially important with regard to accounts for which two or even more natural persons are authorised (e.g. equally authorised spouses using the same account). As ASPSPs provide each person with personal login credentials, different PSUs might make use of different AIS using the same account. In our opinion an appropriate way would be to count the number of different and unique login credential sets that PSUs have applied to make use of the AIS in the last 12 months.
- Last but not least and considering the different use cases for which we provide AIS (see business model description below), figo explicitly points out that from a risk perspective, it is necessary to distinguish between PSUs that only use an AIS once and those that use an AIS permanently. The latter have been and still are rather taken into account by official bodies, as the multibanking-case has been the major practice template for AIS-usage covered by the PSD2. However, figo nowadays deals with a lot of one-time AIS users, e.g. for account validation or credit rating purposes. Obviously, the unique PSU that only uses the AIS once and for the use case of one Data Benefit Provider (i.e. subject) and whose data is deleted afterwards, entails a smaller risk, than the PSU that is using the AIS permanently for multibanking/account alert purposes. That is why we propose that the unique one-time AIS user should be considered in a more proportionate way. For example the EBA could propose to divide the overall number of unique one-time AIS users (i.e. clients) in the last 12 months by a certain number which might be connected to the amount of regular pull/push calls per year - in line with the final Art. 22 Para. 5 (b) of EBA’s RTS-draft on SCA/communication.
From our point of view Guideline 8., i.e. 8.1 of the EBA Guidelines on PII, stipulating that “Competent authorities should require the undertakings to hold either the PII, or a comparable guarantee.” is redundant as it does not define any requirement or details any provision not already contained as part of Art. 5 para. 2 or 3 of the PSD2. Moreover the comparable guarantee as an overall alternative based on the same criteria as the PII, is not a “criterion” itself as stated for this Guideline.
(B) Market barrier instead of intended relief?
At first sight, we welcomed the intended alternative of a PII/comparable guarantee compared to own funds requirements for PISPs/AISPs. However, over the course of dealing with the requirements in detail, we are afraid that the intended relief could become quite a market barrier for TPPs.
During the preparation of our consultation input, we involved two German insurance brokers, providing various contacts to divers insurers, in order to find a national insurer that might have been interested in providing joint input to this consultation. Unfortunately, we were faced with the following feedback:
- A large number of qualified (special) insurers was interviewed (we can provide the EBA with their names on request and separately to the published consultation input).
- Some of the insurers, incl. industry leaders and credit insurers, have so far neither been aware of the PSD2 nor the according risk to be covered.
- Some specialist insurers, do not want to cover the according risk because “presumably a liability without fault” would have to be covered (highest obstacle from brokers’ points of view). In the case of internal, e.g. programming errors, the question of the degree of fault (negligence) arises, e.g. there is no fault with external attacks, that is to say cyber attacks. However this risk has to be covered. For this, there is no suitable existing product that could be modified according to PISPs/AISPs requirements.
- If there should be a newly developed policy, insurers would inter alia have to consider cyber risk coverage.
- Last but not least, insurers are hesitant to invest into according product development because they expect the overall market for the PII to be negligible.
From the point of view of a potential PISP/AISP we would like to add that:
- Cyber risk policies - in market practice - are usually connected to significant insurance fees that probably might not relate to the EBA’s sophisticatedly derived minimum amount at all.
- Especially considering the scope of engagement by EBA Guidelines in general raises further concern, i.e. that CAs across the EU can inform the EBA that they do not intend to comply with the guidelines and state reasons for non-compliance. Referring to our previously outlined feedback from insurers, national authorities might use this market barrier argumentation to not commit themselves to the EBA’s guidelines. Consequently, the EU level playing field for PISPs/AISPs could be undermined with serious impact.
- Last but not least, ASPSPs, e.g. credit institutions, are covered by their own funds requirements and therefore not required to provide authorities with according PII policies. As they can on the other side offer PIS/AIS by themselves, they might have a competitive advantage compared to other PISPs/AISPs due to the outlined market barrier potential of PIIs.
We were surprised when reading that, according to the EBA’s survey, a small number of PISPs/AISPs have “taken out such PII or a cover of a kind similar to PII” as well as that insurance undertakings were approached by the EBA before the guidelines were drafted (see rationale no. 9 and no. 90 of the EBA consultation paper on PII). To support our current understanding, we also tried to involve Insurers Associations for an official statement - however did not receive feedback in time.
We therefore kindly encourage the EBA to actively involve European and national Insurers Associations to discuss the consultation concerns and/or request official statements with regard to the actual intent to provide PISPs/AISPs with according PII policies before the guidelines under consultation are finalised. Only the insurance market itself can make a final assessment, if and under which conditions it is actually able to offer a compliant PII.
(C) Mistake in the calculation of Example 2 in the EBA consultation paper on PII
It appears that we found a mistake in Example 2, outlined by the EBA on page 20 of its consultation paper. Our result (= EUR 548.015) for the calculation of the “minimum monetary amount of the PII/comparable guarantee per calendar year covering all claims resulting from PIS activities” is EUR 40.000 lower than the provided result in the example (= EUR 588.015). Thus we assume that the EBA mistakenly added the indemnity claims resulting from the provision of AIS (= EUR 40.000) to the PIS-result. If we misunderstood the underlying calculation, please provide us with some clarification.
(D) DETAILS WITH REGARD TO OUR BUSINESS MODEL (updated since our last input on EBA RTS on SCA/communication and crucial for the understanding of our concerns outlined above)
As the provided online form does not provide us with the possibility to add further details with regard to our business model, we would like to include the following information as part of Question 7:
We describe figo GmbH as a “Banking Service Provider”. We offer B2B-services relating to the third party payment account access covered by PSD2 as well as services beyond that coverage.
For the purpose of this consultation we focus our further description on the PSD2-scope. In that regard figo GmbH aims at becoming a BaFin-regulated Payment Institution, i.e. a licensed PISP as well as a registered AISP in Germany. Our aspired post-PSD2 services in 2018 might be described on the basis of the following different contractual model options:
(1) figo acting as a licensed PISP by means of contractual relationships with
a. non-PSD2-regulated companies, acting as payees (= charged B2B-service, e.g. for E-Commerce or Factoring companies) OR
b. non-PSD2-regulated companies, acting as Payment Feature Providers (= charged B2B-service, who only make use of the PIS for a user-friendly feature of their actual product range, such as credit transfer by photo or accounting and receivables management applications) AND in either case
c. the payment service users (= free of charge user agreements with payment service users, i.e. payers)
and provided that sensitive payment data is not forwarded to non-PSD2-regulated third parties as well as that any data is not further utilised by figo but only for the provision of the payment initiation service.
(2) figo acting as an AISP subject to registration by means of a contractual relationship with
a. non-PSD2-regulated Data Benefit Providers (= charged B2B-service, who only make use of the AIS-data for a user-friendly feature of their actual product range, such as account change/alert/monitoring providers, comparison portals or credit portals (in the latter case for risk management/credit rating purposes) as well as
b. the payment service users (= free of charge user agreements with with payment service users or, i.e. AIS-end users)
and provided that sensitive payment data is not forwarded to non-PSD2-regulated third parties as well as that other data is only forwarded on the basis of an explicit consent by the AIS-end user with forwarding certain earmarked AIS-data to a specific data benefit provider in compliance with relevant data protection rules.
(3) figo acting as a PSD2 services outsourcing partner (IT infrastructure/outsourcing service provider) for licensed or subject to registration PISP or AISP (e.g. AISP/PISP who do not want to build the overall IT infrastructure needed to provide their licensed/registered services or ASPSP providing PIS/AIS services to their customers) and without any contractual relationship with the end-user.
(4) figo acting as a XS2A Service Provider, i.e. an IT infrastructure/outsourcing service provider for ASPSP, who have to build and maintain a PSD2-compliant XS2A interface.
We are aware that options (1b) and (2) were not considered when the PSD2 content was finalised. As a consequence, a few strict interpretations of PSD2 details have been expressed lately, e.g. that Art. 67 para. 2 (f) of PSD2 would imply a similar strict interdiction of further data utilisation by AISP as Art. 66 para. 3 (g) of PSD2 does for PIS.
Today’s advanced market developments however show an urgent need for the proposed overall concept by figo GmbH. Established innovations and successful use cases would be hindered to a large extent, if the described options (1a) and (2) will not be implemented in a legally watertight way. From our point of view, especially context-related use cases of AIS are a major driver of the PSD2-intended innovation. Consumers tend to share their personal data in cases of benefits, such as more convenient and automated user processes. And there is still considerable room for more innovative business concepts on that PSD2-basis, which will lead to further economic growth for the European market, if it is not unnecessarily over-regulated. The law and regulatory requirements have to step in on a second level, i.e. to meet these newly developed market needs and make sure that the processes requested by the consumer are built and maintained in a secure way, instead of generally limiting the consumer’s freedom. A potential strict interdiction of further data utilisation by AISP would only have an unfortunate inhibitory effect on the actually intended innovation by PSD2. In the medium term, consumer freedom will assert itself eventually (see recent antitrust authorities’ decisions in favor of this development in Europe as well as the developments around the EU regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
Assuming accordingly that data benefit providers will be allowed to bring their AIS-featured products to the market, another PSD2 loophole has to be rectified. Given their business model and strategies, the majority of data benefit providers, who only make use of AIS as a small component of their product range do not aim at becoming a registered AISP or being “treated as a payment institution”. That is why today they already make use of market participants like figo GmbH to access the financial resources of their B2C-clients. Looking ahead and based on our extensive business partner experience, data benefit providers want a full PSD2-compliant service support by a regulated AISP next to the option of outsourcing the IT infrastructure needs for AIS-components. They would rather forgo successful consumer friendly features instead of applying for an own AISP-registration. This is due to the fact that from a market perspective the latter overall requires similarly high standards and efforts as becoming a fully licensed payment institution.
Similar conditions apply for contractual model option (1b), i.e. non-PSD2-regulated payment feature providers. These also merely make use of the PIS for a user-friendly feature of their actual product range, such as credit transfer by photo or accounting and receivables management applications. They rely on market participants such as figo to be able to maintain their payment feature products without their own need to apply for a PISP-license.
From our point of view, bundling PISP as well as bundling AISP such as figo provide a win-win situation for all market participants, as implementing contractual model option (1b) and (2) in a legally watertight way would lead to increased consumer and data protection as well as IT-Security by
- upstream (and we propose regulatory binding) “Know Your Third Party”-processes, incl. a risk-based and scaled transfer of PSD2 requirements to data benefit providers and non-PSD2-regulated payment feature providers or payees,
- streamlined and transparent communication processes between PISP/AISP and ASPSP (considering clearly and technically sorted processes for PISP and AISP) ,
- implementing centrally enforceable and effectively controllable standards from the perspective of EU-wide and national supervisory bodies as well as
- the establishment of high-quality API infrastructure standards.
That is why, we hereby make use of the possibility to state that an explicit license exemption for payment feature providers as well as a registration exemption for data benefit providers are needed on the condition that these market participants engage licensed PISPs/ registered AISPs. At best a fully EU-harmonised clarification can be achieved, e.g. being provided as part of the EBA’s mandate concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions covered by Art. 5 para. 5 of PSD2.
With regard to our services beyond PSD2 coverage we would like to share our view with the EBA on how it could have an active role in further fostering innovation and growth developments in the open banking market. In a first step, a severe consideration by the EBA of all provided consultation input with regard to a need for clarification on the PSD2-scope helps the market to establish a legally watertight basis, what will consequently foster innovations. ASPSPs can define more clearly, which sort of access they can legally monetise, e.g. by offering charged and hence so-called “premium API access” to third parties and on the basis of explicit consent of end-users.
Moreover, we kindly encourage the EBA to clarify in its rationales of the provided RTS-draft, that PSD2 does not prevent market participants to make bilateral agreements and obtain explicit customer consent on premium access to banking data beyond the PSD2/RTS-limitations. For example the growing market for XS2B(rokerage) could be actively supported by a clear statement of EBA officials. Given this, the urgently needed and slowly growing cooperation between banking incumbents and fintechs would be actively supported by an EU authority which would lead to general economic growth for all EU market participants. As a positive side effect a clear statement in that regard would override the general veto players, who still discuss principles of the PSD2-scope that are no longer questionable after PSD2 entered into force on 12 January, 2016. If this view is not shared by the EBA as well as other involved authorities and moreover by banking incumbents, we expect a much slower and demanding process but eventually still the same result in this matter. As from a consumer perspective as well as from a competition law perspective, there is no reasonable ground for a legal discrimination against non-payment accounts.
Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?
First of all, we assume that EBA’s first question refers to Guideline 9 instead of 8.With regard to the requirement of reviews “at least on an annual basis”, we would like to point out that short-term or seasonal peaks, which may occur for certain indicators, should not require an immediate adjustment of the minimum monetary amount. That is why we assume, that only if increasing amounts of certain indicators can be connected to actual, i.e. sustainable, growth of the PISP/AISP, the duty to inform CAs applies (Art. 16 of PSD2 in conjunction with rationale 24 of the EBA consultation paper on PII). The latter case would also imply a need for re-calculation of the minimum amount within periods of less than a year.
Due to divers reasons outlined in detail below (see Question 7), we do not expect a lot of insurance companies to offer PII policies for PISP/AISP. Given a highly probable possibility that policies must be re-negotiated within periods of less than a year the attractiveness of this product for insurers would even decrease further.
We kindly encourage EBA to at least mitigate 9.1 of the EBA Guidelines on PII by providing the CAs - and indirectly the undertakings - with some room for an assessment of the sustainability of any newly increased amounts.
Although we understand the need for flexibility in a still growing market, from the perspective of a future PISP/AISP and based on our first discussions with the insurance market, we actually see that PISP/AISP would highly benefit from a certainty of a required fixed (instead of “at least”) annual basis for the review of the minimum monetary amount.
Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning
From our point of view the overall formula seems to be an appropriate approach. However, there are some minor details that we cannot endorse and that we described in detail as part of our following responses.In general we have to stress that the distinction between PISP and AISP should be pursued more consequently. The proposed formula requires companies that apply for both services to calculate the minimum monetary amount for the PISP and for the AISP accordingly and to sum up the results for an overall minimum monetary amount.
We encourage the EBA to propose two separate insurance policies or at least independent validities for both coverages. This would generate more certainty for insurer and insured undertakings. A possible withdrawal by regulators of the authorisation for one service does not necessarily lead to the withdrawal of the other. The same applies for the decision by an undertaking to forgo one field of activity. In both cases, two separate insurance policies/independent coverages would only lead to termination consequences for one of them.
The relevant provision is guideline 6.3 of the EBA Guidelines on PII should thus be changed accordingly. We propose as follows: “If an undertaking that applies for authorisation to provide PIS also applies for registration to provide AIS, or if an undertaking that applies for registration to provide AIS also applies for authorisation to provide PIS, competent authorities should calculate the minimum monetary amount separately for each service, i. e. calculate amounts reflective of all criteria for provision of AIS and PIS separately. Competent authorities should accept separate policies or otherwise provided independent coverages by undertakings applying for both services.”
Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.
(A) AIS/PIS-indicator: “Value of indemnity claims received”:The EBA should consider that there is no established post PSD2-practice in the PISP/AISP sector yet. This might lead to a significant amount of unjustified claims that - considering the current draft of 5.1 of the EBA Guidelines on PII - would increase the proposed indicator accordingly. In our opinion only the subset of claims that eventually led to compensations paid by the undertakings should be considered in order not to discriminate against undertakings that are faced with significant amounts of groundless claims.
(B) AIS/PIS-indicator: “Geographical location of the undertaking”:
We would like the EBA to consider the following aspects with regard to this indicator:
- We assume that “provide services [...] in other countries outside the European Union” (see 5.6 of the EBA Guidelines on PII) does not apply as long as only EU-payment accounts are accessed, independently from the actual location and/or domicile of the PSU. We kindly ask the EBA to object, if it takes another view.
- Also we assume that the term “provide services not only in EU” does only refer to regulated payment services similar to the PSD2 scope, as 5.7 of the EBA Guidelines on PII considers foreign similar PII/guarantees in non-EU countries an alternative to adding the value of EUR 50.000. Thus merely providing non-regulated IT infrastructure/outsourcing services outside the EU is not to be considered for this indicator. Again, we kindly ask the EBA to object, if it takes another view.
- In general, the EBA should consider a risk-based approach that allows to reflect some ratio, instead of just adding the value of EUR 50.000 to the minimum monetary amount for any non-EU business. Currently the same amount is considered for undertakings that do 90 % of their business outside the EU as well as for undertakings that only do 1 % of non-EU business. We therefore propose a gradual approach depending on the percentage of revenue that is generated from non-EU business, e.g. each 10 % of revenue that is generated outside the EU adds EUR 10.000 to the minimum monetary amount. This results in the positive effect that undertakings that are engaged in only a single non-EU contract are not unnecessarily hindered. As the initial steps of non-EU expansion do not have an immediate impact on the minimum monetary amount.
(C) PIS-indicator: “Number of contracts with the undertaking applying for authorisation to provide PIS”:
Based on the definition of the term “contract” in chapter 2, No. 13 of the EBA Guidelines on PII as well as on our specific business model, we assume that we would consider our non-regulated B2B business partners acting as payees as well as so-called Payment Feature Providers (see detailed description below) to count the “number of contracts”. We kindly ask the EBA to object, if it takes another view.
(D) PIS-indicator: “Number of initiated payment transactions by undertakings applying for authorisation to provide PIS”:
We would like the EBA to consider the following aspects with regard to this indicator and kindly encourage the EBA to oppose our following interpretations, if necessary:
- Relevant contract models: We would like to underline that one PSU can use a Banking Service Provider such as figo GmbH (figo) in various constellations (see detailed business model description below). According to our current understanding we would only count the PSUs for this indicator in cases of figo acting in a contract model based on its own PISP license and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for licensed PISPs. The latter includes ASPSPs offering PIS.
- Considering standing orders: figo also enables the technical feature for PSUs to create new standing orders at their ASPSP. This feature appears e.g. in a third party multibanking front-end. When the PSD2 was finalised, this use case for open banking was not explicitly considered. Provided that this feature can be carried on as part of the XS2A interfaces and based on the risk-rationales of the PII’s minimum monetary amount we would propose to count the creation of standing orders as ‘one initiated payment’. That is speaking from the perspective of a licensed PISP offering this feature as part of a B2B contract model with a non-regulated Payment Feature Provider (see detailed business model description below). This results from the fact that any periodic transactions following after the one-time creation of a standing order are initiated and processed by the ASPSP without any further influence by the PISP..
(E) AIS-indicator: “Number of different payment accounts accessed by undertakings applying for registration to provide AIS”:
In order to count the number for this indicator in practise, it is necessary to establish a common understanding of the term “payment account” by providing an appropriate demarcation to accounts not covered by the PSD2-scope (see detailed business model description below for further input on our services beyond the PSD2 limitations).
In order to avoid any differing of national CA’s approaches, which could hinder the envisaged EU level playing field, we propose an official comment by the EBA (as part of the guidelines or at least their rationales) to help with an operative interpretation of the high-level PSD2 definition of the term “payment account” acc. to Art. 4 No. 12 of the PSD2, namely with regard to certain borderline cases. From our point of view, a clear demarcation line is not even derivable based on excluding all accounts for which the connection of a reference account is necessary. A subset of these accounts (such as certain credit card accounts or Paypal accounts) allow to hold credit balances or to connect more than one reference account, which results in possible online credit transfers to be initiated from these accounts.
The simple calculation of this one PII indicator for AISP shows the complexity that results from differing “payment account” interpretations within the EU. Additional problems are expected with regard to a hindered EU level playing field for the necessity of bilateral agreements to access non-payment accounts, i.e. beyond PSD2-accounts, in a legally watertight way (see also our detailed business model description below).
Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.
We have two concerns with regard to the indicators under the type of activity criterion:- Most importantly, the EBA should consider a risk-based approach that allows to reflect some ratio, instead of just adding the value of EUR 50.000 to the minimum monetary amount for any “business other than providing payment services as referred to in Annex I of the PSD2” (other business). Currently the same amount is considered for undertakings whose other business results in 90 % of their overall revenue as well as for undertakings which are only engaged in a single other business contract. We therefore propose a gradual approach depending on the percentage of revenue that is generated from other business, e.g. each 10 % of revenue that is generated from the other business adds EUR 10.000 to the minimum monetary amount. This results in the positive effect that undertakings which are engaged in only a single other business contract are not unnecessarily hindered and the initial steps of expansion into other business fields do not have an immediate impact on the minimum monetary amount.
- Secondly, our current understanding is that ASPSPs that are credit institutions and that intend to provide payment services do not need to “obtain authorisation as a payment institution” based on the exemption provided by Art. 11 Para. 1 in conjunction with Art. 1 Para. 1 lit. a) of PSD2. If this group intends to provide PIS and/or AIS, they do not need to provide their CA with a PII/comparable guarantee, as this would only be a required part of their redundant PISP/AISP-license/registration application. Or, in other words, all those companies that can be subsumed under the exemptions of Art. 11 Para. 1 of PSD2 (i.e. are stated in Art. 1 Para. 1 lit. a), b), c), e), f)) do not need to hold the PII/comparable guarantee in order to provide PIS and/or AIS. At first sight, this seems to be consistent, as they are obliged to certain requirements with regard to their own funds and the PII was established as a more proportionate means for PISPs/AISPs that do not hold clients funds. On the other hand, the draft of 6.4 of the EBA Guidelines on PII clarifies that payment institutions according to Art. 1 Para. 1 lit. d) of PSD2, that next to providing PIS and/or AIS are providing other payment services than referred to in Annex I No. 7 and 8 of the PSD2, do need to provide CAs with the PII/comparable guarantee as they are not excluded from this obligation on the basis of Art. 11 Para. 1 of the PSD2. That is although the latter group is also obliged to certain own funds requirements. We do not comprehend the unequal treatment of the described groups of undertakings both intending to provide PIS/AIS and both faced with own funds requirements and would like the EBA to provide us with some justification in that regard. Even if - with a final PSD2 - the EBA might lack ways and means to change the overall requirement of an PIS/AIS-authorisation for the outlined group of payment institutions, it should at least consider this apparent imbalance with regard to considering own funds requirements for the activity criterion. In particular as from the perspective of an undertaking which will definitely have to provide the CA with a PII/comparable guarantee as part of its PISP/AISP application, we currently see some market barrier potential for PISP/AISP, resulting from a possible lack of availability of appropriate products, offered by the insurance market (for more details please see our response to Question 7 of the consultation input on hand). From our point of view this overall drafted concept as of today could lead to a competitive advantage for ASPSPs which intend to provide PIS/AIS compared to other PISPs/AISPs.
Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning
(A) PIS-indicator: Total value of all transactions in the last 12 monthsWith regard to the indicator of total value of all transactions we would like to point out two concerns:
- Calculation of values of transactions in non-EUR currencies: Our understanding is that, e.g. if a PISP is located in an EUR-zone member country, but also initiates payments in member states where the official currency is other than EUR, it would gather the data for each currency separately and convert the resulting sum at the end of each 12 months period into EUR using an average exchange rate for that period. If so, the EBA might want to propose an appropriate reference exchange rate for PISPs to use.
- Relevant contract models: Again, we would like to underline that one PSU can use a Banking Service Provider such as figo in various constellations (see detailed business model description below). According to our current understanding we would only count the value of initiated payments for this indicator in cases of figo acting in a contract model based on its own PISP license and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for licensed PISPs, incl. ASPSPs offering PIS. If the EBA takes a different view it may object.
- Provided that our standing order feature can be carried on as part of the XS2A interfaces and based on the risk-rationales of the PII’s minimum monetary amount we would propose to cover the creation of standing orders as ‘one initiated payment’, i.e. would consider the “one-time value” as part of the total value indicator (please compare to our response reg. Question 3). We kindly ask the EBA to object, if it takes another view.
(B) AIS-indicator: Number of clients that made use of the service in the last 12 months
With regard to this indicator, we would like to point out various clarifications and/or concerns and kindly encourage the EBA to oppose our following interpretations, if necessary:
- Based on the definition of “client” as part of chapter 2, No. 13 of the EBA Guidelines on PII we generally assume for our purposes that this indicator is used to count PSUs (end-users) and our B2B-contract relationship partner, i.e. non-PSD2-regulated Data Benefit Providers (= charged B2B-service), who only make use of the AIS-data for a user-friendly feature of their actual product range (see our business model description below for further details).
Also for the purposes of this indicator, we would like to underline that one PSU can use us in various constellations (see detailed business model description below). According to our current understanding we would only count the PSUs for this indicator in cases of figo acting in a contract model based on its own AISP registration and not in cases of figo merely acting as an IT infrastructure/outsourcing service provider for registered AISPs. The latter includes ASPSPs offering AIS.
- Moreover, the provided definition of “clients” from our point of view implies that if a PSU uses figo to deliver his account data to different subjects, i.e. divers Data Benefit Providers, the number of clients within the meaning of this indicator would be identical with the number of used subjects.
- Another question is which actual set of data should be used to determine the number of clients. This is especially important with regard to accounts for which two or even more natural persons are authorised (e.g. equally authorised spouses using the same account). As ASPSPs provide each person with personal login credentials, different PSUs might make use of different AIS using the same account. In our opinion an appropriate way would be to count the number of different and unique login credential sets that PSUs have applied to make use of the AIS in the last 12 months.
- Last but not least and considering the different use cases for which we provide AIS (see business model description below), figo explicitly points out that from a risk perspective, it is necessary to distinguish between PSUs that only use an AIS once and those that use an AIS permanently. The latter have been and still are rather taken into account by official bodies, as the multibanking-case has been the major practice template for AIS-usage covered by the PSD2. However, figo nowadays deals with a lot of one-time AIS users, e.g. for account validation or credit rating purposes. Obviously, the unique PSU that only uses the AIS once and for the use case of one Data Benefit Provider (i.e. subject) and whose data is deleted afterwards, entails a smaller risk, than the PSU that is using the AIS permanently for multibanking/account alert purposes. That is why we propose that the unique one-time AIS user should be considered in a more proportionate way. For example the EBA could propose to divide the overall number of unique one-time AIS users (i.e. clients) in the last 12 months by a certain number which might be connected to the amount of regular pull/push calls per year - in line with the final Art. 22 Para. 5 (b) of EBA’s RTS-draft on SCA/communication.
Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
We think that the overall approach considered by the EBA is sufficient with regard to included criteria and/or indicators.Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.
(A) Redundancy of Guideline 8: Comparable guarantee criterionFrom our point of view Guideline 8., i.e. 8.1 of the EBA Guidelines on PII, stipulating that “Competent authorities should require the undertakings to hold either the PII, or a comparable guarantee.” is redundant as it does not define any requirement or details any provision not already contained as part of Art. 5 para. 2 or 3 of the PSD2. Moreover the comparable guarantee as an overall alternative based on the same criteria as the PII, is not a “criterion” itself as stated for this Guideline.
(B) Market barrier instead of intended relief?
At first sight, we welcomed the intended alternative of a PII/comparable guarantee compared to own funds requirements for PISPs/AISPs. However, over the course of dealing with the requirements in detail, we are afraid that the intended relief could become quite a market barrier for TPPs.
During the preparation of our consultation input, we involved two German insurance brokers, providing various contacts to divers insurers, in order to find a national insurer that might have been interested in providing joint input to this consultation. Unfortunately, we were faced with the following feedback:
- A large number of qualified (special) insurers was interviewed (we can provide the EBA with their names on request and separately to the published consultation input).
- Some of the insurers, incl. industry leaders and credit insurers, have so far neither been aware of the PSD2 nor the according risk to be covered.
- Some specialist insurers, do not want to cover the according risk because “presumably a liability without fault” would have to be covered (highest obstacle from brokers’ points of view). In the case of internal, e.g. programming errors, the question of the degree of fault (negligence) arises, e.g. there is no fault with external attacks, that is to say cyber attacks. However this risk has to be covered. For this, there is no suitable existing product that could be modified according to PISPs/AISPs requirements.
- If there should be a newly developed policy, insurers would inter alia have to consider cyber risk coverage.
- Last but not least, insurers are hesitant to invest into according product development because they expect the overall market for the PII to be negligible.
From the point of view of a potential PISP/AISP we would like to add that:
- Cyber risk policies - in market practice - are usually connected to significant insurance fees that probably might not relate to the EBA’s sophisticatedly derived minimum amount at all.
- Especially considering the scope of engagement by EBA Guidelines in general raises further concern, i.e. that CAs across the EU can inform the EBA that they do not intend to comply with the guidelines and state reasons for non-compliance. Referring to our previously outlined feedback from insurers, national authorities might use this market barrier argumentation to not commit themselves to the EBA’s guidelines. Consequently, the EU level playing field for PISPs/AISPs could be undermined with serious impact.
- Last but not least, ASPSPs, e.g. credit institutions, are covered by their own funds requirements and therefore not required to provide authorities with according PII policies. As they can on the other side offer PIS/AIS by themselves, they might have a competitive advantage compared to other PISPs/AISPs due to the outlined market barrier potential of PIIs.
We were surprised when reading that, according to the EBA’s survey, a small number of PISPs/AISPs have “taken out such PII or a cover of a kind similar to PII” as well as that insurance undertakings were approached by the EBA before the guidelines were drafted (see rationale no. 9 and no. 90 of the EBA consultation paper on PII). To support our current understanding, we also tried to involve Insurers Associations for an official statement - however did not receive feedback in time.
We therefore kindly encourage the EBA to actively involve European and national Insurers Associations to discuss the consultation concerns and/or request official statements with regard to the actual intent to provide PISPs/AISPs with according PII policies before the guidelines under consultation are finalised. Only the insurance market itself can make a final assessment, if and under which conditions it is actually able to offer a compliant PII.
(C) Mistake in the calculation of Example 2 in the EBA consultation paper on PII
It appears that we found a mistake in Example 2, outlined by the EBA on page 20 of its consultation paper. Our result (= EUR 548.015) for the calculation of the “minimum monetary amount of the PII/comparable guarantee per calendar year covering all claims resulting from PIS activities” is EUR 40.000 lower than the provided result in the example (= EUR 588.015). Thus we assume that the EBA mistakenly added the indemnity claims resulting from the provision of AIS (= EUR 40.000) to the PIS-result. If we misunderstood the underlying calculation, please provide us with some clarification.
(D) DETAILS WITH REGARD TO OUR BUSINESS MODEL (updated since our last input on EBA RTS on SCA/communication and crucial for the understanding of our concerns outlined above)
As the provided online form does not provide us with the possibility to add further details with regard to our business model, we would like to include the following information as part of Question 7:
We describe figo GmbH as a “Banking Service Provider”. We offer B2B-services relating to the third party payment account access covered by PSD2 as well as services beyond that coverage.
For the purpose of this consultation we focus our further description on the PSD2-scope. In that regard figo GmbH aims at becoming a BaFin-regulated Payment Institution, i.e. a licensed PISP as well as a registered AISP in Germany. Our aspired post-PSD2 services in 2018 might be described on the basis of the following different contractual model options:
(1) figo acting as a licensed PISP by means of contractual relationships with
a. non-PSD2-regulated companies, acting as payees (= charged B2B-service, e.g. for E-Commerce or Factoring companies) OR
b. non-PSD2-regulated companies, acting as Payment Feature Providers (= charged B2B-service, who only make use of the PIS for a user-friendly feature of their actual product range, such as credit transfer by photo or accounting and receivables management applications) AND in either case
c. the payment service users (= free of charge user agreements with payment service users, i.e. payers)
and provided that sensitive payment data is not forwarded to non-PSD2-regulated third parties as well as that any data is not further utilised by figo but only for the provision of the payment initiation service.
(2) figo acting as an AISP subject to registration by means of a contractual relationship with
a. non-PSD2-regulated Data Benefit Providers (= charged B2B-service, who only make use of the AIS-data for a user-friendly feature of their actual product range, such as account change/alert/monitoring providers, comparison portals or credit portals (in the latter case for risk management/credit rating purposes) as well as
b. the payment service users (= free of charge user agreements with with payment service users or, i.e. AIS-end users)
and provided that sensitive payment data is not forwarded to non-PSD2-regulated third parties as well as that other data is only forwarded on the basis of an explicit consent by the AIS-end user with forwarding certain earmarked AIS-data to a specific data benefit provider in compliance with relevant data protection rules.
(3) figo acting as a PSD2 services outsourcing partner (IT infrastructure/outsourcing service provider) for licensed or subject to registration PISP or AISP (e.g. AISP/PISP who do not want to build the overall IT infrastructure needed to provide their licensed/registered services or ASPSP providing PIS/AIS services to their customers) and without any contractual relationship with the end-user.
(4) figo acting as a XS2A Service Provider, i.e. an IT infrastructure/outsourcing service provider for ASPSP, who have to build and maintain a PSD2-compliant XS2A interface.
We are aware that options (1b) and (2) were not considered when the PSD2 content was finalised. As a consequence, a few strict interpretations of PSD2 details have been expressed lately, e.g. that Art. 67 para. 2 (f) of PSD2 would imply a similar strict interdiction of further data utilisation by AISP as Art. 66 para. 3 (g) of PSD2 does for PIS.
Today’s advanced market developments however show an urgent need for the proposed overall concept by figo GmbH. Established innovations and successful use cases would be hindered to a large extent, if the described options (1a) and (2) will not be implemented in a legally watertight way. From our point of view, especially context-related use cases of AIS are a major driver of the PSD2-intended innovation. Consumers tend to share their personal data in cases of benefits, such as more convenient and automated user processes. And there is still considerable room for more innovative business concepts on that PSD2-basis, which will lead to further economic growth for the European market, if it is not unnecessarily over-regulated. The law and regulatory requirements have to step in on a second level, i.e. to meet these newly developed market needs and make sure that the processes requested by the consumer are built and maintained in a secure way, instead of generally limiting the consumer’s freedom. A potential strict interdiction of further data utilisation by AISP would only have an unfortunate inhibitory effect on the actually intended innovation by PSD2. In the medium term, consumer freedom will assert itself eventually (see recent antitrust authorities’ decisions in favor of this development in Europe as well as the developments around the EU regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
Assuming accordingly that data benefit providers will be allowed to bring their AIS-featured products to the market, another PSD2 loophole has to be rectified. Given their business model and strategies, the majority of data benefit providers, who only make use of AIS as a small component of their product range do not aim at becoming a registered AISP or being “treated as a payment institution”. That is why today they already make use of market participants like figo GmbH to access the financial resources of their B2C-clients. Looking ahead and based on our extensive business partner experience, data benefit providers want a full PSD2-compliant service support by a regulated AISP next to the option of outsourcing the IT infrastructure needs for AIS-components. They would rather forgo successful consumer friendly features instead of applying for an own AISP-registration. This is due to the fact that from a market perspective the latter overall requires similarly high standards and efforts as becoming a fully licensed payment institution.
Similar conditions apply for contractual model option (1b), i.e. non-PSD2-regulated payment feature providers. These also merely make use of the PIS for a user-friendly feature of their actual product range, such as credit transfer by photo or accounting and receivables management applications. They rely on market participants such as figo to be able to maintain their payment feature products without their own need to apply for a PISP-license.
From our point of view, bundling PISP as well as bundling AISP such as figo provide a win-win situation for all market participants, as implementing contractual model option (1b) and (2) in a legally watertight way would lead to increased consumer and data protection as well as IT-Security by
- upstream (and we propose regulatory binding) “Know Your Third Party”-processes, incl. a risk-based and scaled transfer of PSD2 requirements to data benefit providers and non-PSD2-regulated payment feature providers or payees,
- streamlined and transparent communication processes between PISP/AISP and ASPSP (considering clearly and technically sorted processes for PISP and AISP) ,
- implementing centrally enforceable and effectively controllable standards from the perspective of EU-wide and national supervisory bodies as well as
- the establishment of high-quality API infrastructure standards.
That is why, we hereby make use of the possibility to state that an explicit license exemption for payment feature providers as well as a registration exemption for data benefit providers are needed on the condition that these market participants engage licensed PISPs/ registered AISPs. At best a fully EU-harmonised clarification can be achieved, e.g. being provided as part of the EBA’s mandate concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions covered by Art. 5 para. 5 of PSD2.
With regard to our services beyond PSD2 coverage we would like to share our view with the EBA on how it could have an active role in further fostering innovation and growth developments in the open banking market. In a first step, a severe consideration by the EBA of all provided consultation input with regard to a need for clarification on the PSD2-scope helps the market to establish a legally watertight basis, what will consequently foster innovations. ASPSPs can define more clearly, which sort of access they can legally monetise, e.g. by offering charged and hence so-called “premium API access” to third parties and on the basis of explicit consent of end-users.
Moreover, we kindly encourage the EBA to clarify in its rationales of the provided RTS-draft, that PSD2 does not prevent market participants to make bilateral agreements and obtain explicit customer consent on premium access to banking data beyond the PSD2/RTS-limitations. For example the growing market for XS2B(rokerage) could be actively supported by a clear statement of EBA officials. Given this, the urgently needed and slowly growing cooperation between banking incumbents and fintechs would be actively supported by an EU authority which would lead to general economic growth for all EU market participants. As a positive side effect a clear statement in that regard would override the general veto players, who still discuss principles of the PSD2-scope that are no longer questionable after PSD2 entered into force on 12 January, 2016. If this view is not shared by the EBA as well as other involved authorities and moreover by banking incumbents, we expect a much slower and demanding process but eventually still the same result in this matter. As from a consumer perspective as well as from a competition law perspective, there is no reasonable ground for a legal discrimination against non-payment accounts.