|
Whilst again the Eurosystem’s initiative to formulate these Recommendations is highly valued, and although the necessity to address the subject matter is not really disputable, as a matter of good policy the Recommendations, in particular yet not limited to where they are the outcome of a choice between several options, should be supported by an impact assessment. Indeed the case for policy maker or regulator intervention in this specific topic has not yet been formally made. As there is no evidence of market failure, such an intervention could – due to the promotion of as of yet mostly unregulated and non-supervised providers it entails – trigger undesirable long term market consequences. Such an impact assessment should i.a. credibly quantify the expected market and competition benefits (duly taking into account losses from potential additional cybercrime activities), and demonstrate that they outweigh compliance costs (e.g. the re-design of existing systems).
Absent from these Recommendations is any reference to the requirement for contractual agreements between the third party provider (TP), the payment account holder, and the account servicing payment service provider (PSP). Although the Eurosystem in previous interactions argued that such absence is justified by the focus of these Recommendations on security, ESBG would submit that contractual agreements that clearly define the service(s) provided by one party to the other, the technical conditions for the provision of this service or services, the respective rights, obligations and liabilities attached to and deriving from the performance of the service(s), and finally the rightful remuneration of the service(s), are essential constituents of a secure environment and hence market confidence.
It must remain the account servicing PSP’s own decision to determine the instruments that it will support at account owner level for the purpose of initiating (or making) withdrawals or payments, or providing information on potential transactions and/or transaction history. A parallel should be made with the cards world: a PSP may choose to offer debit cards to its account holders. Such debit cards could be offered within e.g. either the Visa scheme, or the MasterCard scheme, or another scheme, and there is – nor should be – any obligation to offer two or more, or any.
It is unfortunate that these Recommendations remain mute about return on investment, business case, and charging principles for the addressees. Whilst it is certainly understood that the intent of these Recommendations is to focus on security, at the level at which they are formulated the business case dimension, and its implications, cannot be ignored. Indeed, the principle of allowing addressees and market players to recoup investments as they deem suited is a necessary pre-condition, not only for generating the right incentives for market players to promptly implement these Recommendations, but also for ensuring that the latter will not distort the playing field, and will provide for continued innovation in this field.
It would be extremely helpful if the Recommendations made an unambiguous distinction between Key Considerations and/or Best Practices that apply specifically to either Account Information Services or Payment Initiation Services.
“Payment initiation services” would need to be defined with greater accuracy than they currently are in the Glossary to the draft Recommendations. Currently payment initiation services are defined as “internet-based services to initiate payment transactions via payment accounts. The technical implementation of this service can differ based on whether or not the payee is actively involved in the payment initiation and whether the TP’s software is used by the account owner to transmit his/her credentials to the account servicing PSP”. For the sake of removing any ambiguity, this definition should be complemented as follows: “In that process at no moment will the TP be the originator of the payment instruction, nor be the actual or de facto beneficiary of any funds related to the transaction to be authorised”. With respect to account information services the minimum level would be providing a yes/no response as to whether a payment account holds sufficient funds for a certain transaction.
In order to maximise account holder convenience, confidence, and security, the principle that the authentication method of the latter’s account servicing PSP should be used throughout the chain should be established in these Recommendations.
It is imperative that these Recommendations do not leave any doubt as to the obligation for national supervisory and regulatory authorities – in due time prior to these Recommendations becoming applicable - to identify, where necessary establish, and mandate an authority or authorities responsible for registering TPs and GAs prior to them commencing activity, and regularly reviewing them.