paul@paulfoleylaw.ie
22 Northumberland Road, Ballsbridge, Dublin 4
INTRO
INSIGHTS

PSD2 in Ireland: authorisation steps

By
Paul Foley
Key points in applying for a Payment Services Authorisation in Ireland under the European Union (Payment Services) Regulations as amended (PSRs)

MARCH 15 2021: The scope of Payment Services Directive 2 (Directive (EU) 2015/2366) currently includes the 27 EU Member States, plus three Member States of the European Economic Area (EEA, i.e. Norway, Iceland and Liechtenstein).

PSD2 requires an authorisation for the provision of seven (7) different types of payment services (and see below in relation to AIS) and these payment services are defined in some detail in article 4 of Directive (EU) 2015/2366 (PSD2), are further explained in certain recitals to PSD2, are listed in Annex I to PSD2 and in the Schedule to the PSRs. Two of the payment services are new, being payment initiation services (PIS) (which enable the payer to avoid using a credit card) and account information services (AIS) . The provision of AIS services (called RAIS in the UK) requires an application for registration with the CBOI. The authorisation requirements and registration requirement applies/apply to payment services providers who are payment institutions.

Payment institutions may engage in certain ancillary activities to the extent permitted by regulation 29(1) of the PSRs and may grant credit relating to the payment services as referred to in paragraphs (4) or (5) of the Schedule to the extent permitted by regulation 29(4) of the PSRs (not reproduced here).

A payment institution must not conduct the business of taking deposits or other repayable funds, within the meaning of Article 9 of Directive 2013/36/EU (regulation 29(5) of the PSRs).

PSD2 is supplemented by Commission Delegated Regulation (EU) 2018/389 (PSD2 Regulation), which amongst other things creates regulatory technical standards for (i) strong customer authentication (SCA) of which the SCA exemptions are of particular importance, but are complex, (ii) application program interfaces of credit institutions, interfacing with other credit institutions and payment services providers and (iii) for secure communication.

The requirements of the PSD2 Regulation and PSD2 are very significant from the perspective of developing the applicant’s payment services software and the drafting of the applicant’s terms of business.

Preliminary issues including Fitness and Probity

An applicant seeking authorisation/registration as a Payment Institution (PI) or Electronic Money Institution (EMI) must be a corporate body constituted under Irish law and it must have its head office, and its registered office, in Ireland . In order to meet the requirements of regulation 21 of the PSRs, an applicant PI must carry out at least part of its payment services business in Ireland.

Long before making an application, it is vital for the applicant to have gone through the (i) CBOI Application Form of May 2018 (though it can change) its Guidance Note; (ii) the CBOI Anti Money Laundering, Counterterrorist Financing and Financial Sanctions Pre Authorisation Risk Evaluation questionnaire , (iii) the Qualifying Holding Application Forms and (iv) as regards Fitness and Probity, the relevant Individual Questionnaire (IQ) for each person who will hold a PCF role (typically board members, senior management and key function holders). These documents are accessible through this link >.

Guidance on Fitness and Probity is currently accessible through this link > and the related CBOI “Dear CEO Letter” of 17 November 2020 on compliance with the Fitness and Probity Regime is accessible here >.

Connected to Fitness and Probity, are the Minimum Competency Code and the Minimum Competency Regulations which will often change: these need to be checked for applicability.

Initial Regulatory Capital required (Article 7 PSD2)

For AIS (service 8 of the Schedule to the PSRs) is Nil; Money Remittance (service 6 of the Schedule to the PSRs) is €20,000, PIS (service 7 of the Schedule to the PSRs) is €50,000. For the other payment services (services 1-5 of the Schedule to the PSRs) is €125,000.

For EMIs, Initial Capital Required EMI is €350,000 or for Small EMI is €125,000 .

Own Funds (Articles 8 and 9 PSD2)

For applicants who wish to provide any or all of the payment services 1 to 6, these are calculated using one of three methods A, B or C (as determined by the CBOI) in Articles 8 and 9 of PSD2 ( regulations 9 to 16 of the PSRs). Where an applicant intends to provide non electronic money related payment services, they must ensure that calculations under A, B and C are all provided. The Central Bank is obliged to direct the firm to calculate its own funds requirement under one of these methods

Generally see pages 19 to 21 of the CBOI Guidance Note which explains the issues related to Own Funds including the additional requirements for EMIs clearly .

Application for a PI or EMI: documents to be submitted (Article 5 of PSD2)

The CBOI application form requires the submission of the following documents with it:

  • A programme of operations setting out in particular the type of payment services envisaged. This document needs to include with it a copy of the framework contract, as defined in Article 4(21) of PSD2;

  • A business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

  • Evidence that the payment institution holds initial capital as provided for in Article 7;

  • For the payment institutions referred to in Article 10(1) of PSD2, a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10 (regulation 17(2) of the PSRs) ;

  • A description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;

  • A description of the procedure in place to monitor, handle and follow up a security incident and security-related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96 of PSD2.

  • A description of the process in place to file, monitor, track and restrict access to sensitive payment data. ‘sensitive payment data’ means information, including personalised security credentials, which could be used to carry out fraud; but in relation to account information services and payment initiation services does not include the name of an account holder or an account number. Guideline 10(1) of the CBOI application form sets out ten requirements in this context. The related CBOI Guidance refers to various EDPD Guidelines and an EBA Opinion. The words “personalised security credentials” are of considerable importance as they appear throughout the PSRs and the PSD2 Regulation. In accordance with Article 94 (1) of the PSD2, any processing of personal data , including the provision of information about the processing, for the purposes of the PSD2 must be carried out in accordance with the GDPR and with the PSD2 Regulation. In practice regulation 117 on Data Protection, regulations 90 to 94 and 120 of the PSRs are relevant as is the entire of the PSD2 Regulation.

  • A description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plan. Guideline 11 of the application form sets out the requirements under (five) headings.

  • A description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud. Guideline 12 of the application form sets out a list of six (6) requirements for this document. References to fraud appear throughout PSD2, the PSRs, the PSD2 Regulation and in the EBA Guidelines. Consequently rights and obligations/liabilities in the case of fraud and fraud reporting needs to be reflected in the design of the payment services software and in the payment service provider terms of business.

    For example regulation 76 (e)(ii) of the PSRs requires a payment service provider, to provide information to a payment service user, as regards the secure procedure for notification of the payment service user in the event of suspected or actual fraud or security threats. Regulation 119(6) of the PSRs (Article 96(6) of PSD2) requires a payment service provider to provide, at least on an annual basis, statistical data on fraud relating to different means of payment to the competent authority of its home Member State.

  • A security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data. A PSP’s operational and security risk obligations are contained in regulations 118 to 120 of the PSRs. The requirements for this document are set out in the relevant EBA ICT and Security Risks Guidelines.

  • The EBA Guidelines must be applied in a manner that is proportionate to the nature, scope and complexity of the PSPs’ businesses and the corresponding ICT and security risks. The Guidelines are compatible with the three lines of defence model, with the ICT operational units being the first line of defence.

  • Internal Control Mechanisms to Comply with Obligations in Relation to Money Laundering and Terrorist Financing (AML/CFT obligations) section 14 of the Application Form. The applicant (other than AISP applicants) must complete and submit the Anti-Money Laundering, Counter-Terrorist Financing and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire for Payment Institution and Electronic Money Institution Applicants.

    EU anti money laundering and counter terrorist financing laws have been substantially harmonised by The Fourth Money Laundering Directive (Directive 2015/849) (MLD4), the Wire Transfer Regulation (Regulation 2015/847 (WTR), and the Fifth Money Laundering (Directive 2018/843 (MLD5) (which Member States have had to have implement by the 10th of January 2020). A summary of this regime is set out on this website here>.

  • A Central Bank Qualifying Holding Application Form in respect of each direct and indirect qualifying holder in the applicant must accompany the application as well as a completed IQ in respect of each person seeking to hold a PCF role in the applicant.

  • AISPs. An application for an AIS authorisation must as a condition of their registration, hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information.

Key Stages in the Application Process.

The CBOI has set out clearly on its website what are the Key Stages of the Application process.

It is essential an applicant uses a legal firm with the knowledge and experience to advise on and help apply and draft all the documents referred to above. This is particularly true as regards the Security Policy document. The writer has such knowledge and experience.

(ENDS)


March 2021 © Copyright Paul Foley – All Rights Reserved.
For advice on any aspect covered in this report, contact Paul Foley

Law Society of Ireland S3846 and F10040
Law Society of England and Wales SRA number 209146
  

map-markerenvelopetagarrow-left linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram