Although Payment Initiation Service Providers (“PISPs”) and Account Information Service Providers (“AISPs”) do not hold client funds when exclusively providing those services – as per the revised Payment Services Directive (the “PSD2”) – and as such are not faced with ‘own funds’ requirements, it is important that they are capable of meeting their liabilities in relation to their activities.
In light of this, the European Banking Authority (the “EBA”) is working on developing EBA Guidelines (the “Guidelines”) on the criteria to be used by Member States in establishing the minimum monetary amount of Professional Indemnity Insurance (“PII”) or comparable guarantee.
This applies to PISPs for payment service providers’ liability for unauthorized payment, for non-execution, defective or late execution of payment transactions, and for the right of recourse. It is also applicable to AISPs against their liability with regard to the Account Servicing Payment Service Provider (“ASPSP”) or the payment service user resulting from unauthorized or fraudulent access to or use of, payment account information.
In preparation of the three-month consultation paper that will be published in the summer of 2016, for the proposal on the abovementioned criteria, the EBA is urging ASPSPs, PISPs, and AISPs to fill in the applicable questionnaire, which will assist the authority in developing appropriate criteria to be covered by the Guidelines. The questionnaires are divided in two: one for ASPSPs, and one for PISPs and AISPs.
The questionnaire for ASPSPs asks questions relating to the ASPSP’s knowledge of PISPs and AISPs that are accessing their accounts, including the number of accounts being accessed and how often queries are made by the PISPs and AISPs in this regard.
In addition to this, the questionnaire also delves into the monitoring of values of payment transactions initiated by a PISP; measures against compensation claims related to unauthorized payments; and measures against compensation claims related to IT risks and/or cybercrime.
Lastly, for the ASPSPs that have insurance as one of their measures against unauthorized payments, the EBA requires the criteria used by the insurance undertaking when assessing whether or not a claim related to unauthorized payments, IT risks and cybercrime is covered by the insurance policy. If there are any exclusions specified in the insurance policy, with regard to unauthorized payments, IT-attacks and cybercrime, they must be specifically stated.
PISPs and AISPs are being asked to fill in the same questionnaire, made up of common questions for both service providers, and specific questions for the respective service providers. The common section is divided into business model-related questions; and IT-related questions. The business model questions are about the business characteristics of each respondent – type of institution, number of countries services are provided in, customers, and additional services offered. Additional information will need to be provided in order to describe the business model. The service providers will need to state the likeliness of having to adjust their business models to fulfil the requirements of the PSD2 with regard to the PII or comparable guarantee.
The IT-related questions are aimed at identifying the level of compliance with certain IT Standards that each service provider has, as well as the total budget for IT Security, in order to determine the likeliness of the business being exposed to certain threats. Other questions relate to the data centres used by the service providers.
The questions that are specifically for PISPs to answer relate to the payment transactions initiated by the service providers. As for AISPs, the questions relate to the service providers’ access to different payment accounts in the last year, as well as an estimation of the number of payment accounts that will be accessed.
The final criteria will most likely be published by January 2017, and will then need to be used by national authorities to determine the minimum monetary amount of the PII or comparable guarantee. This will become applicable in the respective national jurisdictions from January 2018.