Author name: Janetta

EMA responds to Czech Republic PSD2 consultation

The EMA submitted a response to the Czech Ministry of Finance’s consultation on the implementation of PSD2 in the Czech Republic. The consultation web-page can be found here, and the existing Czech Payments Systems Act (Regulation no. 284/2009 Coll.) here.

The consultation asks for stakeholders’ views regarding the specific options where Member States may diverge from the PSD2 requirements. The EMA response focuses primarily on those options that will affect EMIs, PIs and CIs passporting into the Czech Republic, whether by way of freedom of establishment or by freedom of services.

The response argues:

• Against any requirement for a Central Contact Point for PSPs passporting into the Czech Republic under the Freedom of Establishment, as this is unnecessarily burdensome, particularly for small Fintech companies
• In favour of a harmonised framework across the EEA in general, as this will decrease barriers for firms wishing to access markets across the EEA
• Against any requirement to provide the monthly transaction statement in paper format, as this is not coherent with the average customer profile of many EMA members, who often open, access and use their accounts remotely

Read the EMA response here.

EMA responds to EBA Consultation on Passporting under PSD2

See the EBA consultation details here.

The EMA has responded to the EBA’s consultation on regulatory technical standards (RTS) on the framework for cooperation and exchange of information between competent authorities for passport notifications under PSD2. These draft RTS set out templates for passporting, services passporting, agent passporting, and establishment passporting. They also set out a template for distributor passporting. These templates could have a significant impact on PSPs passporting to other EU Member States, including where any services are outsourced to another EU Member State.

The EMA’s response welcomes the standardisation of passporting notifications, as this may improve efficiencies for both regulators and firms. However, there are a number of concerns raised by the EMA in the response.

PSD2 provides for two types of passporting to be undertaken. These are based on the principle of mutual recognition set out in the Treaty of the European Union (“Treaty”). The first is freedom to offer services and the second is the right of establishment. However, the draft format conflates these concepts by requiring one form for both. Not only is this unhelpful from an administrative perspective, but it may result in Member State authorities treating passport entities as established entities. The EMA has accordingly proposed:
– that two forms are used – one for passporting under Freedom of Services, and one for Freedom of Establishment
– a separate, third form should be used for the outsourcing of services
– a definition of “distributor” would help distinguish between agents and distributors in terms of operation and legal responsibilities.

Read the EMA response here.

EMA response to FCA Guidance consultation on outsourcing to the cloud

Read about FCA’s consultation here.

The EMA responded to the FCA’s recent consultation on the use of cloud IT service providers This is of significant interest for many Fintechs and innovative PSPs who rely on such outsourcers to deliver many important functions. The FCA draft guidance in a number of areas (i.e. Legal and regulatory considerations, Effective access to Systems Data, Access to business premises) will likely have a significant impact on existing outsourcerrelationships. Based on the current draft, it is likely that many existing service contracts would have to be re-negotiated and possibly terminated with the financial service providers bearing additional costs and corresponding impact on existing operations.

The EMA’s response calls on the FCA to take into account current technology trends and market dynamics when drafting the Final Guidance on this topic. Currently, many regulated firms have limited negotiating leverage to introduce any changes to the standard service delivery agreements offered by the large, reputable cloud IT service providers.

The EMA’s response suggests that instead the Guidance focus on:
(1) additional criteria for a regulated firm to consider when establishing a cloud-service outsourcer due diligence process, and
(2) setting up a robust service review & monitoring framework; for example ensuring a service provided by a cloud-based outsourcer meets agreed key performance indicators (“KPIs”).

Read the EMA response here.

The EMA has responded to the EBA’s discussion paper on strong customer authentication and secure communication under PSD2. This discussion paper asks for views from stakeholders regarding a number of topics that the EBA proposes to address in the regulatory technical standards it will develop to support compliance with the PSD2 security requirements (including the practicalities around strong customer authentication, dynamic linking of customer authentication with individual transaction information and secure intra-PSP communication).

The EMA’s response:
– raises concerns regarding the minimum 10-month time gap between the time PSD2 comes into force and the earliest date that the EBA RTS may be implemented;
– calls for a risk- and principles-based approach rather than delving into prescriptive detail or producing exhaustive lists of security controls/transaction types;
– expresses concern about the negative consequences of an EU standard that is overly prescriptive or diverges significantly from global standards, as many EMA members operate outside the EU;
– calls for the definition of a governance framework (used to assess compliance of individual solutions/products) with the RTS.

The EMA response also requests:
– further clarification around the category of payment activities that might benefit from the ‘risk-based’ exemption frjaneom the requirement to complete strong customer authentication (SCA): Many online account access interactions (i) do not expose sensitive payment data or payment user credentials and (ii) cannot be used to alter existing account settings; thus, they do not give rise to payment fraud risks.
– a flexible approach with regards to the requirements to ‘dynamically link’ each payment with information about the payee and payment amount, as this will introduce significant friction to the user experience with little benefit in terms of security of payment transaction.

Read the EMA response here.

EMA response to HMRC on Extension of data-gathering powers

Read about HMRC’s consultation here.

The EMA has responded to HMRC’s consultation on draft legislation intended to tackle the ‘hidden economy’ of tax avoidance by extending their powers to gather bulk data on transactions by customers of electronic PSPs and business intermediaries. This would give HMRC the legal power to require electronic PSPs (ePSPs) and business intermediaries to report bulk transaction data on their customers on a regular (annual, quarterly or potentially monthly) basis.

The EMA has two main concerns in relation to the draft legislation. Firstly, whilst the intention is only to capture income received in the course of business, the current legal drafting would not preclude HMRC from requesting bulk data related to certain consumer accounts as well as business accounts. Secondly, there is no intention of collecting equivalent data from other PSPs, such as banks. We believe that not only would this have a negative impact on consumer trust in relation to ePSP accounts by raising data privacy concerns, it would place ePSPs at a disadvantage to other PSPs such as banks, who would not be required to provide equivalent information.

On that basis, the EMA’s response proposes amendments to the legislation in several areas:
1. A narrowing of the defintion of electronic PSP
2. A narrowing of the types of payment transactions that can be captured
3. A narrowing of the type of payment recipient whose transaction data can be captured
4. A clarification that merchant acquirers should be excluded, as they are already covered under existing powers.

Read the EMA response here.