Directive (EU) 2015/2366 of the European Parliament and of the CouncilShow full title

Section 1 General rules

Article 5Applications for authorisation

1.For authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:

(a)a programme of operations setting out in particular the type of payment services envisaged;

(b)a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;

(c)evidence that the payment institution holds initial capital as provided for in Article 7;

(d)for the payment institutions referred to in Article 10(1), a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10;

(e)a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures, which demonstrates that those governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate;

(f)a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations of the payment institution laid down in Article 96;

(g)a description of the process in place to file, monitor, track and restrict access to sensitive payment data;

(h)a description of business continuity arrangements including a clear identification of the critical operations, effective contingency plans and a procedure to regularly test and review the adequacy and efficiency of such plans;

(i)a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;

(j)a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;

(k)for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council(1) and Regulation (EU) 2015/847 of the European Parliament and of the Council(2), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations;

(l)a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system;

(m)the identity of persons holding in the applicant, directly or indirectly, qualifying holdings within the meaning of point (36) of Article 4(1) of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution;

(n)the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution;

(o)where applicable, the identity of statutory auditors and audit firms as defined in Directive 2006/43/EC of the European Parliament and of the Council(3);

(p)the applicant’s legal status and articles of association;

(q)the address of the applicant’s head office.

For the purposes of points (d), (e) (f) and (l) of the first subparagraph, the applicant shall provide a description of its audit arrangements and the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of payment services.

The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of technical security and data protection, including for the software and IT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1). Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) when in place.

2.Member States shall require undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their liabilities as specified in Articles 73, 89, 90 and 92.

3.Member States shall require undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information.

4.By 13 January 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines, addressed to the competent authorities, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3.

In developing the guidelines referred to in the first subparagraph, EBA shall take account of the following:

(a)the risk profile of the undertaking;

(b)whether the undertaking provides other payment services as referred to in Annex I or is engaged in other business;

(c)the size of the activity:

(d)the specific characteristics of comparable guarantees and the criteria for their implementation.

EBA shall review those guidelines on a regular basis.

5.By 13 July 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of the first subparagraph of paragraph 1 of this Article.

EBA shall review those guidelines on a regular basis and in any event at least every 3 years.

6.Taking into account, where appropriate, experience acquired in the application of the guidelines referred to in paragraph 5, EBA may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1.

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

7.The information referred to in paragraph 4 shall be notified to competent authorities in accordance with paragraph 1.

Article 6Control of the shareholding

1.Any natural or legal person who has taken a decision to acquire or to further increase, directly or indirectly, a qualifying holding within the meaning of point (36) of Article 4(1)of Regulation (EU) No 575/2013 in a payment institution, as a result of which the proportion of the capital or of the voting rights held would reach or exceed 20 %, 30 % or 50 %, or so that the payment institution would become its subsidiary, shall inform the competent authorities of that payment institution in writing of their intention in advance. The same applies to any natural or legal person who has taken a decision to dispose, directly or indirectly, of a qualifying holding, or to reduce its qualifying holding so that the proportion of the capital or of the voting rights held would fall below 20 %, 30 % or 50 %, or so that the payment institution would cease to be its subsidiary.

2.The proposed acquirer of a qualifying holding shall supply to the competent authority information indicating the size of the intended holding and relevant information referred to in Article 23(4) of Directive 2013/36/EU.

3.Member States shall require that where the influence exercised by a proposed acquirer, as referred to in paragraph 2 is likely to operate to the detriment of the prudent and sound management of the payment institution, the competent authorities shall express their opposition or take other appropriate measures to bring that situation to an end. Such measures may include injunctions, penalties against directors or the persons responsible for the management, or the suspension of the exercise of the voting rights attached to the shares held by the shareholders or members of the payment institution in question.

Similar measures shall apply to natural or legal persons who fail to comply with the obligation to provide prior information, as laid down in this Article.

4.If a holding is acquired despite the opposition of the competent authorities, Member States shall, regardless of any other penalty to be adopted, provide for the exercise of the corresponding voting rights to be suspended, the nullity of votes cast or the possibility of annulling those votes.

Article 7Initial capital

Member States shall require payment institutions to hold, at the time of authorisation, initial capital, comprised of one or more of the items referred to in Article 26(1)(a) to (e) of Regulation (EU) No 575/2013 as follows:

Article 8Own funds

1.The payment institution’s own funds, shall not fall below the amount of initial capital as referred to in Article 7 or the amount of own funds as calculated in accordance with Article 9 of this Directive, whichever is the higher.

2.Member States shall take the necessary measures to prevent the multiple use of elements eligible for own funds where the payment institution belongs to the same group as another payment institution, credit institution, investment firm, asset management company or insurance undertaking. This paragraph shall also apply where a payment institution has a hybrid character and carries out activities other than providing payment services.

3.If the conditions laid down in Article 7 of Regulation (EU) No 575/2013 are met, Member States or their competent authorities may choose not to apply Article 9 of this Directive to payment institutions which are included in the consolidated supervision of the parent credit institution pursuant to Directive 2013/36/EU.

Article 9Calculation of own funds

1.Notwithstanding the initial capital requirements set out in Article 7, Member States shall require payment institutions, except those offering only services as referred to in point (7) or (8), or both, of Annex I, to hold, at all times, own funds calculated in accordance with one of the following three methods, as determined by the competent authorities in accordance with national legislation:

• Method A

  The payment institution’s own funds shall amount to at least 10 % of its fixed overheads of the preceding year. The competent authorities may adjust that requirement in the event of a material change in a payment institution’s business since the preceding year. Where a payment institution has not completed a full year’s business at the date of the calculation, the requirement shall be that its own funds amount to at least 10 % of the corresponding fixed overheads as projected in its business plan, unless an adjustment to that plan is required by the competent authorities.

• Method B

  The payment institution’s own funds shall amount to at least the sum of the following elements multiplied by the scaling factor k defined in paragraph 2, where payment volume (PV) represents one twelfth of the total amount of payment transactions executed by the payment institution in the preceding year:

  (a)

  4,0 % of the slice of PV up to EUR 5 million;

  plus

  (b)

  2,5 % of the slice of PV above EUR 5 million up to EUR 10 million;

  plus

  (c)

  1 % of the slice of PV above EUR 10 million up to EUR 100 million;

  plus

  (d)

  0,5 % of the slice of PV above EUR 100 million up to EUR 250 million;

  plus

  (e)

  0,25 % of the slice of PV above EUR 250 million.

• Method C

  The payment institution’s own funds shall amount to at least the relevant indicator defined in point (a), multiplied by the multiplication factor defined in point (b) and by the scaling factor k defined in paragraph 2.

  (a)

  The relevant indicator is the sum of the following:

  (i)

  interest income;

  (ii)

  interest expenses;

  (iii)

  commissions and fees received; and

  (iv)

  other operating income.

  Each element shall be included in the sum with its positive or negative sign. Income from extraordinary or irregular items shall not be used in the calculation of the relevant indicator. Expenditure on the outsourcing of services rendered by third parties may reduce the relevant indicator if the expenditure is incurred from an undertaking subject to supervision under this Directive. The relevant indicator is calculated on the basis of the 12-monthly observation at the end of the previous financial year. The relevant indicator shall be calculated over the previous financial year. Nevertheless own funds calculated according to Method C shall not fall below 80 % of the average of the previous 3 financial years for the relevant indicator. When audited figures are not available, business estimates may be used.

  (b)

  The multiplication factor shall be:

  (i)

  10 % of the slice of the relevant indicator up to EUR 2,5 million;

  (ii)

  8 % of the slice of the relevant indicator from EUR 2,5 million up to EUR 5 million;

  (iii)

  6 % of the slice of the relevant indicator from EUR 5 million up to EUR 25 million;

  (iv)

  3 % of the slice of the relevant indicator from EUR 25 million up to 50 million;

  (v)

  1,5 % above EUR 50 million.

2.The scaling factor k to be used in Methods B and C shall be:

(a)0,5 where the payment institution provides only the payment service as referred to in point (6) of Annex I;

(b)1 where the payment institution provides any of the payment services as referred to in any of points (1) to (5) of Annex I.

3.The competent authorities may, based on an evaluation of the risk-management processes, risk loss data base and internal control mechanisms of the payment institution, require the payment institution to hold an amount of own funds which is up to 20 % higher than the amount which would result from the application of the method chosen in accordance with paragraph 1, or permit the payment institution to hold an amount of own funds which is up to 20 % lower than the amount which would result from the application of the method chosen in accordance with paragraph 1.

Article 10Safeguarding requirements

1.The Member States or competent authorities shall require a payment institution which provides payment services as referred to in points (1) to (6) of Annex I to safeguard all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions, in either of the following ways:

(a)funds shall not be commingled at any time with the funds of any natural or legal person other than payment service users on whose behalf the funds are held and, where they are still held by the payment institution and not yet delivered to the payee or transferred to another payment service provider by the end of the business day following the day when the funds have been received, they shall be deposited in a separate account in a credit institution or invested in secure, liquid low-risk assets as defined by the competent authorities of the home Member State; and they shall be insulated in accordance with national law in the interest of the payment service users against the claims of other creditors of the payment institution, in particular in the event of insolvency;

(b)funds shall be covered by an insurance policy or some other comparable guarantee from an insurance company or a credit institution, which does not belong to the same group as the payment institution itself, for an amount equivalent to that which would have been segregated in the absence of the insurance policy or other comparable guarantee, payable in the event that the payment institution is unable to meet its financial obligations.

2.Where a payment institution is required to safeguard funds under paragraph 1 and a portion of those funds is to be used for future payment transactions with the remaining amount to be used for non-payment services, that portion of the funds to be used for future payment transactions shall also be subject to the requirements of paragraph 1. Where that portion is variable or not known in advance, Member States shall allow payment institutions to apply this paragraph on the basis of a representative portion assumed to be used for payment services provided such a representative portion can be reasonably estimated on the basis of historical data to the satisfaction of the competent authorities.

Article 11Granting of authorisation

1.Member States shall require undertakings other than those referred to in points (a), (b), (c), (e) and (f) of Article 1(1) and other than natural or legal persons benefiting from an exemption pursuant to Article 32 or 33, who intend to provide payment services, to obtain authorisation as a payment institution before commencing the provision of payment services. An authorisation shall only be granted to a legal person established in a Member State.

2.Competent authorities shall grant an authorisation if the information and evidence accompanying the application complies with all of the requirements laid down in Article 5 and if the competent authorities’ overall assessment, having scrutinised the application, is favourable. Before granting an authorisation, the competent authorities may, where relevant, consult the national central bank or other relevant public authorities.

3.A payment institution which, under the national law of its home Member State is required to have a registered office, shall have its head office in the same Member State as its registered office and shall carry out at least part of its payment service business there.

4.The competent authorities shall grant an authorisation only if, taking into account the need to ensure the sound and prudent management of a payment institution, the payment institution has robust governance arrangements for its payment services business, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective procedures to identify, manage, monitor and report the risks to which it is or might be exposed, and adequate internal control mechanisms, including sound administrative and accounting procedures; those arrangements, procedures and mechanisms shall be comprehensive and proportionate to the nature, scale and complexity of the payment services provided by the payment institution.

5.Where a payment institution provides any of the payment services as referred to in points (1) to (7) of Annex I and, at the same time, is engaged in other business activities, the competent authorities may require the establishment of a separate entity for the payment services business, where the non-payment services activities of the payment institution impair or are likely to impair either the financial soundness of the payment institution or the ability of the competent authorities to monitor the payment institution’s compliance with all obligations laid down by this Directive.

6.The competent authorities shall refuse to grant an authorisation if, taking into account the need to ensure the sound and prudent management of a payment institution, they are not satisfied as to the suitability of the shareholders or members that have qualifying holdings.

7.Where close links as defined in point (38) of Article 4(1) of Regulation (EU) No 575/2013 exist between the payment institution and other natural or legal persons, the competent authorities shall grant an authorisation only if those links do not prevent the effective exercise of their supervisory functions.

8.The competent authorities shall grant an authorisation only if the laws, regulations or administrative provisions of a third country governing one or more natural or legal persons with which the payment institution has close links, or difficulties involved in the enforcement of those laws, regulations or administrative provisions, do not prevent the effective exercise of their supervisory functions.

9.An authorisation shall be valid in all Member States and shall allow the payment institution concerned to provide the payment services that are covered by the authorisation throughout the Union, pursuant to the freedom to provide services or the freedom of establishment.

Article 12Communication of the decision

Within 3 months of receipt of an application or, if the application is incomplete, of all of the information required for the decision, the competent authorities shall inform the applicant whether the authorisation is granted or refused. The competent authority shall give reasons where it refuses an authorisation.

Article 13Withdrawal of authorisation

1.The competent authorities may withdraw an authorisation issued to a payment institution only if the institution:

(a)does not make use of the authorisation within 12 months, expressly renounces the authorisation or has ceased to engage in business for more than 6 months, if the Member State concerned has made no provision for the authorisation to lapse in such cases;

(b)has obtained the authorisation through false statements or any other irregular means;

(c)no longer meets the conditions for granting the authorisation or fails to inform the competent authority on major developments in this respect;

(d)would constitute a threat to the stability of or the trust in the payment system by continuing its payment services business; or

(e)falls within one of the other cases where national law provides for withdrawal of an authorisation.

2.The competent authority shall give reasons for any withdrawal of an authorisation and shall inform those concerned accordingly.

3.The competent authority shall make public the withdrawal of an authorisation, including in the registers referred to in Articles 14 and 15.

Article 14Registration in the home Member State

1.Member States shall establish a public register in which the following are entered:

(a)authorised payment institutions and their agents;

(b)natural and legal persons benefiting from an exemption pursuant to Article 32 or 33, and their agents; and

(c)the institutions referred to in Article 2(5) that are entitled under national law to provide payment services.

Branches of payment institutions shall be entered in the register of the home Member State if those branches provide services in a Member State other than their home Member State.

2.The public register shall identify the payment services for which the payment institution is authorised or for which the natural or legal person has been registered. Authorised payment institutions shall be listed in the register separately from natural and legal persons benefiting from an exemption pursuant to Article 32 or 33. The register shall be publicly available for consultation, accessible online, and updated without delay.

3.Competent authorities shall enter in the public register any withdrawal of authorisation and any withdrawal of an exemption pursuant to Article 32 or 33.

4.Competent authorities shall notify EBA of the reasons for the withdrawal of any authorisation and of any exemption pursuant to Article 32 or 33

Article 15EBA register

1.EBA shall develop, operate and maintain an electronic, central register that contains the information as notified by the competent authorities in accordance with paragraph 2. EBA shall be responsible for the accurate presentation of that information.

EBA shall make the register publicly available on its website, and shall allow for easy access to and easy search for the information listed, free of charge.

2.Competent authorities shall, without delay, notify EBA of the information entered in their public registers as referred to in Article 14 in a language customary in the field of finance.

3.Competent authorities shall be responsible for the accuracy of the information specified in paragraph 2 and for keeping that information up-to-date.

4.EBA shall develop draft regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register and on access to the information contained therein. The technical requirements shall ensure that modification of the information is only possible by the competent authority and EBA.

EBA shall submit those draft regulatory technical standards to the Commission by 13 January 2018.

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

5.EBA shall develop draft implementing technical standards on the details and structure of the information to be notified pursuant to paragraph 1, including the common format and model in which this information is to be provided.

EBA shall submit those draft implementing technical standards to the Commission by 13 July 2017.

Power is conferred on the Commission to adopt the implementing technical standards referred to in the first subparagraph in accordance with Article 15 of Regulation (EU) No 1093/2010.

Article 16Maintenance of authorisation

Where any change affects the accuracy of information and evidence provided in accordance with Article 5, the payment institution shall, without undue delay, inform the competent authorities of its home Member State accordingly.

Article 17Accounting and statutory audit

1.Directives 86/635/EEC and 2013/34/EU, and Regulation (EC) No 1606/2002 of the European Parliament and of the Council(4), shall apply to payment institutions mutatis mutandis.

2.Unless exempted under Directive 2013/34/EU and, where applicable, Directive 86/635/EEC, the annual accounts and consolidated accounts of payment institutions shall be audited by statutory auditors or audit firms within the meaning of Directive 2006/43/EC.

3.For supervisory purposes, Member States shall require that payment institutions provide separate accounting information for payment services and activities referred to in Article 18(1), which shall be subject to an auditor’s report. That report shall be prepared, where applicable, by the statutory auditors or an audit firm.

4.The obligations established in Article 63 of Directive 2013/36/EU shall apply mutatis mutandis to the statutory auditors or audit firms of payment institutions in respect of payment services activities.

Article 18Activities

1.Apart from the provision of payment services, payment institutions shall be entitled to engage in the following activities:

(a)the provision of operational and closely related ancillary services such as ensuring the execution of payment transactions, foreign exchange services, safekeeping activities, and the storage and processing of data;

(b)the operation of payment systems, without prejudice to Article 35;

(c)business activities other than the provision of payment services, having regard to applicable Union and national law.

2.Where payment institutions engage in the provision of one or more payment services, they may hold only payment accounts which are used exclusively for payment transactions.

3.Any funds received by payment institutions from payment service users with a view to the provision of payment services shall not constitute a deposit or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU, or electronic money as defined in point (2) of Article 2 of Directive 2009/110/EC.

4.Payment institutions may grant credit relating to payment services as referred to in point (4) or (5) of Annex I only if all of the following conditions are met:

(a)the credit shall be ancillary and granted exclusively in connection with the execution of a payment transaction;

(b)notwithstanding national rules on providing credit by credit cards, the credit granted in connection with a payment and executed in accordance with Article 11(9) and Article 28 shall be repaid within a short period which shall in no case exceed 12 months;

(c)such credit shall not be granted from the funds received or held for the purpose of executing a payment transaction;

(d)the own funds of the payment institution shall at all times and to the satisfaction of the supervisory authorities be appropriate in view of the overall amount of credit granted.

5.Payment institutions shall not conduct the business of taking deposits or other repayable funds within the meaning of Article 9 of Directive 2013/36/EU.

6.This Directive shall be without prejudice to Directive 2008/48/EC, other relevant Union law or national measures regarding conditions for granting credit to consumers not harmonised by this Directive that comply with Union law.