Out-Law News 2 min. read
07 Nov 2016, 4:15 pm
Disclosure of the information will be necessary under draft guidelines (82-page / 580KB PDF) published by the European Banking Authority (EBA) if payment providers, e-money businesses and account information service providers (AISPs) wish to win authorisation, or complete registration in the case of AISPs, under the new Payment Services Directive (PSD2).
Other details the businesses will need to share with regulators includes information about their governance arrangements and internal control mechanisms, evidence of their initial capital, a description of outsourcing agreements and the programme of operations the companies engage in. Further information on the measures the businesses take to safeguard payment service user funds must also be disclosed by payment service providers (PSPs).
The draft EBA guidance sets out what types of information the companies will have to share about their business plan.
"The business plan to be provided … should contain: a marketing plan consisting of: an analysis of the payments market; an analysis of the company’s competitive position; a description of clients, marketing materials and distribution channels; the main conclusions of any marketing research carried out," the EBA said.
The regulator said existing companies should also disclose "certified annual accounts of the previous three years" where they are available, while businesses that have not yet produced annual accounts should submit "a summary of the financial situation". Other details that need to be shared by a firm about its business plan include "a forecast budget calculation for the first three financial years that demonstrates that [they are] … able to employ appropriate and proportionate systems, resources and procedures that allow [them] to operate soundly".
Under the EBA's proposals, payments market firms will also be required to "provide a description of the procedure in place to monitor, handle and follow up on security incidents and security-related customer complaints". The disclosure should include details of "the procedures for the reporting of incidents, including the communication of these reports to internal or external bodies, including notification of major incidents to [national regulators]", as well as information on the "monitoring tools used and the follow-up measures and procedures in place to mitigate security risks".
Regulators should also be provided with information from firms on the processes they have in place for filing, monitoring, tracking and restricting access to "sensitive payment data", according to the EBA's draft guidance.
Further details of the procedures for authorising access to sensitive payment data, the firms' "access rights policy" will also have to be disclosed. All firms, other than payment initiation service providers (PISPs), will also need to outline how that data is to be collected, and how they anticipate the data being used, both internally and by third parties.
Under the proposals, firms will also need to provide regulators with details of the IT security measures that have been "implanted", as well as with a list of those who can access the sensitive payment data. They will also be expected to share how they plan to detect and address breaches and outline "an annual internal control program in relation to the safety of the IT systems".
The firms will also have to demonstrate their ability to handle potential service disruptions. They will need to disclose how they would intend to "deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; inaccessibility of premises; and loss of key persons", and highlight to regulators their system back-up arrangements and the "key software and data" they would be looking to "recover from a disaster or disruption", amongst other information.
The EBA's draft guidelines are open for consultation until 3 December.
PSD2 came into force earlier this year and will need to be implemented into national laws across the EU by 13 January 2018.
The EBA has been tasked with setting technical and regulatory guidance on some aspects of the new laws. It has already produced draft guidance on issues such as on strong customer authentication and on calculating the level of professional indemnity insurance, or other comparable guarantee, that PISPs and AISPs will have to put in place under PSD2.