- EBA Register (under development)
- Central Contact Points (under development)
- Passporting notifications (submitted to EC)
- Strong Customer Authentication and common and secure communication (submitted to EC)
- Coordination between home and host authorities (under development)
- Fraud reporting (under development)
- Professional indemnity insurance for TPPs (finalised)
- Security measures for operational and security risks (under development)
- Procedures for complaints of alleged infringements of PSD2 (under development)
- Major incidents reporting (finalised)
- Authorisation and registration (finalised)
The most important changes for current licence holders ensuing from PSD2, EBA RTS and guidelines, are as follows:
Operational and IT requirements
(PSD2 Articles 95-98, RTS 4 and Guidelines 3 and 5)
A payment institution must be meet stricter requirements concerning the effective management of operational processes and operational and security risks, and internal and external information requirements. Requirements for payment institutions in this respect include ensuring that data are protected from unauthorised access or processing, strong customer authentication, and secure communication and data storage. Payment institutions must also ensure the availability of data and electronic data processing. They must have systems in place for the classification and reporting of operational and security incidents, as well as a process to report major incidents to DNB.
(PSD2 Article 96 and Guidelines 1 and 5)
Under PSD2, payment institutions are subject to more extensive reporting requirements. This includes the obligation to report major incidents to DNB, which DNB must then report to the ECB and EBA. Payment institutions must also submit to the supervisory authority on a regular basis, and at least annually, statistical data about fraud.
(PSD2 Article 15, RTSs 1, 2, 3 and 5)
The EBA maintains a register with notifications. Payment institutions must provide notifications that are up to date. If a payment institution uses several agents for each Member State, the payment institution must designate and manage a Central Point of Contact (CPC). The host supervisory authority has far-reaching powers to request information from the registered agent. See the fact sheet [LINK] on outgoing notifications for more information.
(PSD2 Article 6)
PSD2 lays out rules for holdings in a payment institution. The implementation of this provision in Dutch law is aligned as far as possible with existing requirements for declarations of no-objection (DNOs) under the Dutch Financial Supervision Act (Wet op het financieel toezicht – Wft) (Sections 3:95, 3:102(1) and 3:103(1)). As a result, owners of a direct or indirect qualifying holding in a licensed payment institution must have a DNO, which means that owners of holdings that represent 10% or more of shares or voting rights must hold a DNO from DNB.
Definition of payment transaction and calculation of own funds requirement
The definition of a payment transaction will remain unchanged for all elements in Title II of PSD2, including the method for calculating own funds under method B.
In due course, the method for calculating the own funds requirement, and the definition of the payment volume parameter in that calculation, will be agreed upon at a European level. Depending on the outcome, the own funds requirement may go up. We will make information available as soon as we have it.