The Financial Data and Technology Association has responded to the European Banking Authority’s consultation on authorisation and registration under PSD2.
The responses (submitted online) are:
Q1: Do you consider the objectives of the Guidelines as identified by the EBA to be plausible and complete? If not, please provide your reasoning.
FDATA considers the objectives to be plausible and almost complete. Our key concern, though, is to ensure that smaller applicants providing narrower services are not subject to the same requirements as large multi-state applicants with broad services. An adjustable, tiered system would be preferable to facilitate this.
Q2: Do you agree with the options the EBA has chosen regarding the identification of payment services by the applicant; the way information is to be submitted to the competent authority; the four-part structure of the Guidelines, and the inclusion of authorisation for electronic money institutions? If not, please provide your reasoning.
FDATA has no objections to these chosen options. However, we would ask you to clarify the process for an applicant with multiple lines of business.
Q3: Do you consider it helpful how the EBA has incorporated proportionality measures in the Guidelines in line with PSD2? If not, please explain your reasoning and propose alternative approaches.
FDATA does consider this helpful and has no specific objection. In general terms, however, we would ask the EBA to constantly assess whether barriers to entry are too high and may stifle innovation. Would the EBA consider an exemption for some applicants under defined conditions?
Q4: Do you agree with the Guidelines on information required from applicants for the authorisation as payment institutions for the provision of services 1-8 of Annex I of PSD2, as set out in chapter 4.1? If not, please provide your reasoning.
Please treat this answer as a catch-all for questions 4, 5 and 6.
Again, FDATA’s key concern here is the potential stifling of innovation which would result from barriers to entry for early-stage applicants. In this respect, the requirements around business plans, marketing and forecasting seem overly onerous.
Secondly, some of the information required appears too granular and technical in nature and lacks focus on the more important issue of the quality of an applicant’s information security management system.
Furthermore, for applicants with dynamic, cloud-based systems, some of the information requested is likely to change on a regular basis. We would ask the EBA to clarify whether notification of every change would be required.
In all these cases, it is possible to be more selective in the information required and still ensure that the approval process ensures only well-qualified applicants.
Finally, we would ask the EBA to clarify why ISO27001 has not been recommended as a standard to apply, having been mentioned in the Regulatory Technical Standards and recommended by the UK’s Open Banking Standard. Adoption of this would reduce the workload on competent authorities.
Q5: Do you agree with the Guidelines on information required from applicants for registration for the provision of only service 8 of Annex I PSD2 (account information services), as set out in chapter 4.2? If not, please provide your reasoning.
See answer 4.
Q6: Do you agree with the Guidelines on information requirements for applicants for authorisation as electronic money institutions, as set out in chapter 4.3? If not, please provide your reasoning.
See answer 4.
Q7: Do you consider the Guidelines regarding the assessment of completeness of the application, as set out in chapter 4.4 to be helpful? If not, please provide your reasoning.
FDATA would recommend an addition. We would ask the EBA to explicitly state how long an incomplete application can wait before it is invalidated, after which a new application will be required.