Out-Law News 1 min. read
28 Sep 2016, 4:23 pm
The draft guidance produced by the EBA (42-page / 342KB PDF) is designed to inform regulatory requirements national authorities will be required to impose on payment initiation service providers (PISPs) and account information service providers (AISPs) under PSD2.
The EBA is tasked, under the directive, with issuing guidelines for regulators on "the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee" that PISPs and AISPs are obliged to put in place under PSD2.
The guidelines must be in place before 13 January 2017. The EBA said they would apply from 13 January 2018. The draft guidelines produced by the EBA are open to consultation until 30 November.
Under PSD2, PISPs must obtain authorisation from national regulators in the EU to carry out their activities, while AISPs must be registered. One of the conditions of authorisation for PISPs, or registration for AISPs, is that the companies take out professional indemnity insurance covering the EU countries in which they operate, or "some other comparable guarantee" against their liabilities that arise under the directive.
The liabilities PISPs could face under the directive include obligations to compensate payment account providers for losses sustained or refunds they have paid to consumers following unauthorised payment transactions. The companies could also be liable for non-execution, defective or late execution of payment transactions.
For AISPs, the insurance cover must apply to their potential liability for "non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information".
In its draft guidance, the EBA said that the minimum value of professional indemnity cover, or comparable guarantee, PISPs and AISPs will require should be calculated on the basis of a formula.
The amount should reflect the risk profile of the company, the scope of the activities they provide and the size of the activity firms carry out, the EBA said. According to the directive, an assessment of the size of PISPs should be based on "the value of the transactions initiated" by those companies. For AISPs, the number of clients they have is the relevant measure.
The EBA's draft guidance provides some detail on how those factors should be accounted for by regulators.
The EBA is responsible for issuing a raft of guidance on regulatory and technical standards under PSD2. In August it set out draft proposals on strong customer authentication which saud that banks and other payment service providers (PSPs) will not be able to rely on "behavioural data" as a means of authenticating prospective transactions under PSD2.
PSD2 came into force earlier this year and will need to be implemented into national laws across the EU by 13 January 2018.