Response to consultation on the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance under PSD2

Go back

Question 1: Do you agree with the requirement that competent authorities require undertakings to review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, as proposed in Guideline 8?

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 1, the requirement for PISPs/AISPs to annually re-examine the minimum monetary amount of the PII or the comparable guarantee and, if necessary, to re-calculate it, is not sufficient.

Based on the PISP/AISP producing relevant supporting documentation, the competent authority must monitor proper observance of compulsory insurance and the correlation between the guaranteed monetary amount and its business volume.

Guidelines should stipulate that this monitoring be carried out at the time of the request for approval but also on a regular basis, at a suitable frequency, e.g., at yearly intervals, along the same lines provided in France for financial intermediaries registered with Orias (French organization for registering insurance intermediaries). The frequency should be less than once a year for companies that have just set up in business.

Furthermore, the competent authority should always be able to ensure that the PISPs/AISPs are guaranteed (insurance or comparable guarantee) up to the level of their business volume and are able to meet their responsibilities, if required. The PISP/AISP must always be able to justify that the monetary amount of insurance is adequate in relation to its business volume.

PISPs/AISPs must undertake to immediately declare any change in their circumstances in relation to their last situation presented to the supervisory authority and/or to the insurer, particularly any significant change as a result of applying the formula.
In the event of a settled claim, the PISP/AISP agrees to maintain an insurance with a monetary guarantee amount equal to that determined initially or adapted in relation to their business volume, after application of the formula as appropriate (kind of as “revolving” insurance).

The insurance policy may be for a specific period (e.g., 12 months) which may not be cancelled apart from a termination option upon expiry of same. Terms and conditions for renewal and cancellation should be specified, as well as disclosure formalities, in such a way that the authority and account holders are informed of any termination well before it becomes effective. The guidelines should clearly indicate the minimum period (1 year, 2 years, etc.), the terms and conditions for renewal and cancellation, as well as the disclosure formalities.

It would be helpful if a dedicated register lists information relating to the insurances or comparable guarantees taken out for each PISP/AISP and that this be regularly updated.

Considering the liability that rests on the account holder, the guidelines should stipulate that any excess provision in the insurance policy agreed by the PISP/AISP is unenforceable against the account holder.

PISPs/AISPs will be required to declare their statistics to the Banque de France. The Banque de France should thus be able to monitor their business activities. Consequently, the supervisory authority should also be able to verify whether the monetary amount of the insurance or the comparable guarantee matches the volume of operations actually carried out.

It is essential that the insurance covers, in addition to professional liability, fraud and “cyber” risks.

Question 2: Do you agree with the formula to be used by competent authorities when calculating the minimum monetary amount of the PII or comparable guarantee as proposed in Guideline 3? Please explain your reasoning

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 2, for us, the choice of applying a mathematical formula does not appear an appropriate guarantee in the event of fraud (including the fraudulent use of data).

The formula does not distinguish between the fact that an error has arisen during the transaction or whether there has been a fraudulent use of data (the amount of the fraud could greatly exceed the amount of operations carried out).

The formula does not consider quantitative data.

From our point of view, it should consider certain qualitative data, particularly the conditions under which AISPs/PISPs archive their data, their supervision and processing procedures in the event of security incidents, the security measures they implement (data access restriction and access traceability), their internal control procedures and personnel training.

The formula should also allow for the procedures established by AISPs/PISPs aimed at complying with other applicable rules, for example those concerning the protection of personal data, especially in data storage and processing.

From our point of view, applying the proposed formula can only lead to insufficient minimum guarantee monetary amounts, compared to the monetary amounts that would be required following a full and concrete analysis of risks, as would be carried out by an insurer. It would be helpful if the EBA could specify what position was adopted by the insurers interviewed prior to this “consultation paper”.

Do insurers only consider the criteria and indicators provided in the formula? Do they carry out their own risk analysis on other criteria and, if so, which ones (the economic situation, the past record of claims as regards the profession, etc.)?

As we see it, the primary risk is a breach of data and this risk is not taken into account by the formula. The EBA should be able to draw on existing insurance policies that already cover loss of data and the resulting financial losses.

Question 3: Do you agree with the indicators under the risk profile criterion and how these should be calculated, as proposed in Guideline 5? Please explain your reasoning.

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 3, the lowest tier level is too low compared, for example, to some mandatory professional indemnity insurance policies in France. In the same way, financial investment advisers must be insured up to an amount of 150,000 euros for natural persons and 300,000/600,000 euros for legal entities.
Intermediaries involved in banking operations and payment services must demonstrate a minimum monetary guarantee of 500,000/800,000 euros per year.

The risk incurred, especially in the case of fraud or cyber-attack, is exponential for an account servicing payment service provider (ASPSP) compared to that arising from its relations with Banking Intermediaries and Payment Services, for example.

The “Value of indemnity claims received” indicator: Requests for indemnity (article 5.1 to 5.5 and recital 47): consideration of only the last 12 months is not sufficient. Which criteria should be taken into account for companies that are just setting up? Should not other criteria be considered? Should the indicator for companies which have been operating for several years, over a longer period (the last 4 or 5 years, for example) be considered, thus allowing for a more accurate calculation? Would it be useful to know the position of insurers interviewed prior to this “consultation paper”?

The “Geographical location of the undertaking” of the PISP/AISP indicator: the additional cost in the event of activity outside the EU (cf. recital 51) does not appear to be relevant and sufficient. This additional cost should be calculated on the basis of a concrete risk analysis.
The number of contracts with the PISP and number of transactions: an additional indicator should be provided relative to the average monetary amount of transactions. For example, PISPs initiating small value transactions, which are presently the subject of mass frauds, are potentially more at risk.

The number of accounts to which AISPs have access: it would be more appropriate if, in addition to the number of accounts, the formula considers the outstanding amounts aggregated by the AISP. These must take into account in the risk analysis, as well as the number of contracts.

Question 4: Do you agree how the indicators under the type of activity criterion should be calculated, as proposed in Guideline 6? Please explain your reasoning.

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 4, the formula applied to the AISP (operating several businesses) should consider the outstanding amounts aggregated by the AISP and the number of contracts.
Furthermore, it would be helpful if the indicators take into account the types of clientele (natural persons, businesses and professionals.) The risk level is not the same, irrespective of whether it concerns legal entities or natural persons.
The risk appears to be more frequent in the case of individuals and more significant in monetary amounts for professionals.

Question 5: Do you agree how the indicators under the size of activity criterion should be calculated, as proposed in Guideline 7? ? Please explain your reasoning

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 5, the formula applied to the AISP needs to consider the outstanding amounts aggregated by the AISP and the number of accounts per customer.

As for PISPs, in addition to the total value of transactions, the formula should address the number of transactions. The risk level is not the same, irrespective of whether it concerns legal entities or natural persons. The risk appears to be more frequent in the case of individuals and more significant in monetary amounts for professionals.

Question 6: Do you think the EBA should consider any other criteria and/or indicators to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 6, we understand that it is the AISP/PISP who will choose the insurance or comparable guarantee. It is therefore essential that, as provided for in article 4.d) of the directive, the EBA determines the specific features of this comparable guarantee and the conditions, timeframes and terms of execution, etc.).

From our point of view, other than quantitative criteria, the EBA should consider certain qualitative data, especially the conditions regarding data archiving by the AISPs/PISPs, their supervision and processing procedures in the event of security incidents, the security measures they implement (data access restriction and access traceability), their internal control procedures and personnel training.

The formula should also allow for the procedures established by AISPs/PISPs aimed at complying with other applicable rules, for example those concerning the protection of personal data, especially in data storage and processing.

As for the criterion regarding the size of the activity, the formula applied to the AISP needs to consider the outstanding amounts aggregated by the AISP and the number of accounts per customer. As for PISPs, in addition to the total value of transactions, the formula should address the number of transactions.

Question 7: Do you have any other comments or suggestions that you think the EBA should consider in order to ensure that the minimum amount is adequate to cover the potential liabilities of PISPs/AISPs in accordance with the Directive? Please explain your reasoning.

The purpose of this consultation is to establish the criteria which will enable the minimum monetary amount of professional indemnity insurance held by payment initiation service providers (“PISPs”) and Account Information Service Providers (“AISPs”).

To prepare this “Consultation Paper”, the EBA specifies that it has consulted market players, particularly insurance companies (cf. Rationale 7).

On the question of establishing the criteria for providing insurance cover, the FBF considers that it would have been helpful if the EBA had provided more information regarding the applicable regulatory framework as regards insurance, and particularly in terms of professional indemnity insurance, and reported on the viewpoints and directions expressed by the insurance companies that were consulted in the early stages (such as the appetite of insurance companies to propose this type of insurance, other principal characteristics of the latter including the inclusion or not of excesses, the conditions, timeframes and terms of execution, etc.).

As regards the indicators and formula proposed in this “Consultation Paper”, the FBF regrets that they are based essentially on “quantitative” data (the number of contracts and clients, monetary amount of claims, etc.) and that a “qualitative” approach of the means implemented by the PISPs/AISPs, which have an impact on the level of risks involved, has not been considered. It therefore appears essential to analyze and take into account all the concrete risks involved, especially for account servicing payment service providers (ASPSPs) and their clients, due to these activities, particularly the risk of data “leaks” and the fraud that may arise from this. Indeed, such consideration appears essential before determining a minimum insurance cover. In the absence of addressing all these risks, the FBF fears that the minimum monetary amount of insurance required following application of the proposed formula will not be sufficient to cover a claim of this nature.

Here too, it would have been helpful if the EBA had reported more extensively on the viewpoints and directions expressed by insurance industry professionals, consulted beforehand.

Lastly, although the Directive provides for the use of a “comparable guarantee” for professional indemnity insurance, the FBF is surprised that the EBA specifies neither its specific characteristics nor the conditions, timeframes and terms of execution, etc.

Regarding the question 7, the risks of penalties borne by the AISPs/PISPs by way of other regulations and likely to have an impact on their solvency must equally be taken into consideration. As an example, this is the same for penalties in the event of failure to comply with the regulations in terms of data protection (10,000,000 EUR and 2% of worldwide annual turnover).

Please select which category best describes you and/or your organisation

[Credit institution"]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

Name of organisation

French Banking Federation (FBF)