PSD2: a journey in (regulatory) innovation | Regulatory Risk | Deloitte Netherlands


PSD2: a journey in (regulatory) innovation

How to get onboard?

With the PSD2 having entered into force through an amendment in the Dutch Financial Supervision Act and changes to other regulations, a new stage in this regulatory innovation journey has commenced for the Dutch payment industry. The first wave of institutions have already made progress on their journey, but some may still have aspirations and are just about to embark. In this blog we would like to share some of our thoughts on this.

By Stephan Ong & Martin Eleveld | March 26, 2019

For retailers, market places, booking agents, utilities and financial services providers, PSD2 – and Open Banking – are potential game changers. Some players will step up and become a payment institution. Where do these players start and what does it require?

In essence, an applicant will have to show that it has a viable business model and the ability to control the risks. In our view, a multi-disciplinary and integrated effort on projects such as these leads to a more effective and comprehensive end-result. This will facilitate competitive advantages in business-as-usual once the authorisation process has been successfully completed.

So, what is needed to be allowed to provide services in this market?

The answer to this question depends on an applicant’s current status.

  • If you are a bank, you may want to look at new services (AISP or/and PISP) and include these in your product offering. This, in turn, requires changes to existing business models and underlying processes, procedures and policies. Note that providing such services in another member state would require notifications by the bank to the host-state supervisor.
  • If you are an existing licensed or exempted PSP, you may want ‘to upgrade’ your license with AISP/PISP services or take a leap to get a full license and not operate under the exemption. If you already had a license under PSD1, you need to proceed with the PSD2 re-authorisation.
  • For other parties and new entrants, the potential of being able to initiate payments or process payments data may prove to be a key element to propel new business opportunities or enhance risk management that might improve customer service.

In any event, your first port of call is the competent authority (in the Netherlands the Dutch Central Bank, ‘DNB’). Note that depending on the type of license, the requirements differ, in particular for ‘pure’ AISPs (to which certain elements do not apply). These can be conceptually broken down into the following four parts.

1. Business Model & Strategy

Elements which usually cause difficulties in application processes and might need extra attention are:

  • A clear and comprehensive business case, showing that:
    - there is a consistent and robust business model;
    - which encompasses realistic projections for the next three years; and
    - also shows what can happen in an adverse scenario.
  • A recovery- and exit plan;
    - knowing what metrics to use to gauge and measure the company’s ‘health’;
    - what to do to recover when the company gets into trouble; and
    - how to wind-down (if this would ever occur) your services with minimal impact on customers.
  • A clear diagram showing how the money flows (if applicable, not for ‘pure’ AISPs/PISPs).

2. Governance & Risk Management

There are also certain focus areas often referred to as ‘controlled business operations’ (beheerste bedrijfsvoering). Within this realm, there are many aspects to take into account, but a few require specific mentioning:

  • A thorough, consistent and holistic description of processes, roles and responsibilities (often a three lines of defense model ‘3LoD’ is advocated for financial institutions).
  • A risk analysis that is in tune with the business case and risk appetite which has a broad scope with areas ranging from IT risk to Compliance & Legal risk to Data and Information Security.
  • Outsourcing that complies with EBA/DNB guidelines.
  • Fit & Proper testing of management by DNB, which includes quite some documentation and preparation from the candidates.
  • Declaration of No-Objection (verklaring van geen bezwaar) for parties having a qualified holding (not applicable for ‘pure’ AISPs).
  • A link towards AML/CFT rules and setup the processes required in this field (e.g. a Systematic Integrity Risk Analysis, SIRA).

3. IT/Infrastructure

Although this element is formally within the remit of controlled business operations, it deserves a separate mentioning as it will be a critical part of all new activities, in particular for PSPs:

  • Adequate processing of personal data (interlinked to GDPR).
  • Data security and retention policies.
  • Incident reporting processes.
  • Secure Customer Authentication (SCA).

4. Financial Risks (financial soundness)

Here you will see some distinction between the type of parties (existing PSPs vs ‘pure-play’ AISPs/PISPs):

  • For ‘pure-play’ AISPs/PISPs’ this would not be the most stringent part to comply with (compared for example to banks or insurers), but the financial soundness needs to be covered through adequate insurance for legal liability.
  • For existing PSPs with other types of licenses, some fairly straightforward prudential requirements apply. Naturally, regulators like buffers and would, therefore, expect some additional capital so that there is a comfortable margin above the minimum level. 
  • If there are client funds that flow through a PSP, it is required that these funds are either segregated in a separate legal entity or are fully insured.

Next steps...

The team at Deloitte is well positioned to assist in all these matters (and more) such as in the area of Business Model & Strategy (Consulting), formal processes (Tax & Legal), Financial Risks (FRM), Regulatory and Compliance (Regulatory Risk), IT risk and implementation (Cyber and IT Consulting). We invite you to reach out to the persons below for any questions you may have in the authorisation process.

In order to get on the authorisation journey, preparation on the topics above and the actual filing of the application is of course key.

For the next edition of this blog, we will ask a (former) supervisor in the field of Market Access to provide a top 5 of tips & tricks. Watch this space.

More information

Feel free to contact Martin, Stephan or Christiaan via their contact details below.

Did you find this useful?