PSD2 Third Party Provider – Show BaFin you’re not just a technical expert
More than two years ago I started a blog and shared my experiences with other third party service providers, what it means to adjust to the new PSD2 obligations. Among other things, I explained in three parts from June 2016 to September 2016 what is important for the remaining preparation time until a BaFin licence application. Where do we stand now?
Eight months after the “German PSD2”, i.e. the Payment Services Supervision Act 2 (in German: Zahlungsdiensteaufsichtsgesetz – ZAG) came into force, the impact of the new licensing requirements in practise is rather disillusioning.
After active providers of payment initiation services (PIS) and/or account information services (AIS) had to apply for a licence between January 13 and April 13, 2018, BaFin was only able to grant one single PIS/AIS licence out of thirteen PIS and AIS applicants as well as fourteen AIS applicants as of end of September 2018 – namely, in mid-August 2018 to figo (btw: banks offering PIS/AIS do not have to apply for a licence).
Of course I could be happy about that. However, this status quo shows that a PSD2 approval for innovative companies and thus for future innovations in Open Banking presents a real hurdle or at least a delay for these providers. Even for figo, with an early PSD2 focus, it was not an easy journey. Therefore, I would like to share my experiences with other applicants so that they can assess their chances and the requirements necessary for their permission. Namely in the following terms:
Don’t ask what BaFin can do for you, ask what you can do for BaFin!
Supervisory law is complex. But change initiatives have to be brought in afterwards as they take more time than any licence application. More important is focus: which aspects of the Para 10 ZAG-requirement catalogue will bring the biggest hurdles along is extremely company-specific. Therefore, one should try at an early stage to understand the supervisory authority’s view of one’s own company. This also means answering requirements directly in the spirit of “Why could BaFin be interested in this and what should they additionally know in order to understand us and our approach” instead of just collecting all kinds of documents demoralised in a “Really? What else?”-mood.
Let’s take a closer look at the often misjudged hurdles in the licence application process:
- Do not confuse the description of the business model according to Para. 10 Sec. 2 no. 1 ZAG with a boilerplate or a pitch deck! A glance at the corresponding guidelines of the European Banking Authority – EBA (EBA/GL/2017/09) is sufficient to avoid this error. The EBA guidelines describe the expected details for the individual licence application points – chapter 4.1 applies to PIS/AIS applicants and chapter 4.2 to AIS applicants. Guideline 3 states that PIS/AIS must describe their business model in a) to j) parts (or 38 pages in total) and submit sample contracts between all parties involved in the provision of payment services. The good news is that if the business model is clearly described, delimited and explained, it will be easier for BaFin to classify the rest of the application in proportion to the company and its risk.
- Finding an insurance policy for liability insurance that meets the regulatory requirements! In this case there are even separate EBA Guidelines EBA/GL/2017/08 in addition to the associated Guideline 18 of the EBA/GL/2017/09, which deal on 14 pages exclusively with the calculation of the minimum monetary amount of professional liability.
- Provide for the establishment of an internal audit at an early stage! This is only a cumbersome result of the law or the practical interpretation of the ZAG.
- Major outsourcings that have to meet BaFin requirements for outsourcing controlling should not be overlooked! This starts with extensive outsourcing contracts but also with the internal setup of functions and processes and ends with the de facto impossibility of both aspects if you want to fulfill this as a startup or medium-sized company in coop with large US clouds.
- For proof of money laundering prevention, submit a company-specific guideline instead of a sample! In the worst case a mistake of this kind can even threaten the PIS/AIS business model, but in any case lead to unnecessarily high compliance costs. Auditors and supervisors could legitimately demand the implementation of the provided guideline. Then there is already discussion at a detailed level, which makes it difficult to return to a reasonable interpretation of the money laundering law with reference to the risk situation of the company and the law’s purpose.
- Provide for the owner control procedures for a non-owner-managed company at an early stage! In the case of various owners with a > 10 % holding, it can be strenuous to provide all the necessary information per owner or beneficial owner. For owners with more complex legal forms, such as fund structures, the procedure can result in some all-nighters.
- Planning the effort for EU Passporting appropriately! Especially if you want to passport to several countries at the same time according to Para.38 Sec. 2 ZAG, you should not misjudge the efforts.
- And finally, keep in mind the effects of the ZAG and German civil right rules that have been in force since January 2018 on the front-end and the data flow – i.e. the product – as part of the licence application!
Do lawyers and/or consultants help?
Only a few lawyers have managed yet to speak the language of the FinTech industry. The majority will also tend to raise new questions and problems rather than provide solutions for the specific situation. Even BaFin-experienced consultants, who advise banks and financial service providers in the traditional way, will find it very difficult to put their sample schemes over a FinTech startup or product. So it is a challenge already to find suitable experts.
If you aim at a permission you will have to build up internal know-how sooner or later. Although parts can be outsourced, the operative view onto reality through internal compliance officers helps to sustainably comply with supervisory law. As a result, paper piles are avoided that can hardly be handled. And liveable processes mean valuable side effects in addition to the letter of permit, such as legal certainty, effectiveness, quality and thus even employee satisfaction. Young professionals can drive compliance internally and give it a face. In the application process, lawyers are helpful for the contractual parts. Consultants or lawyers can also ensure the quality of the application documents by acting as sparring partners for the internal experts.
What will help is structure, transparency and courage!
In fact, basic things that should not be taken for granted for your team, but should be actively promoted – structure, transparency and courage – help when applying for a licence.
At the end of 2017, BaFin published a very helpful spreadsheet to structure the ZAG requirements and EBA guidelines. It makes sense to start by tailoring each application document to this structure in order to facilitate the work of BaFin. In total, around 100 documents, including annexes, can be the result of this approach.
In addition, applicants should try to speak the language of BaFin. It is particularly important to translate the usual industry slang into an understandable language for third parties.
An application that is appropriate for the addressee does not necessarily mean that you have to quote laws with every complex sentence and write administrative German. So if you are dependent on attorney’s templates, but do not understand the proposed description for your own company, it should at least be questioned. Finding a language for applicants and BaFin should be the primary goal of a transparent licence application in order to save time and resources in the process.
Transparency should also be a goal beyond language. The BaFin is realistic and does not expect miracles from startups. It is therefore advisable to put your cards on the table if there are still gaps. It is better to submit a concrete implementation plan than a copied guideline without any link to the actual company. To provide BaFin with a brilliant implementation that is out of all proportion with reality will not help either in the application process or in the further course of the cooperation.
Moreover, the FinTech regulation itself is still so young that anyone who describes himself as a holistic expert in this respect can quickly be exposed as a poser. And that is why it ultimately helps to provide meaningful solutions from a practical point of view for specific questions, instead of expecting legally certain statements from lawyers or even the BaFin. Be courageous! If the internal experts are convinced of an interpretation because it can be determined in a legally clean manner for their company and, above all, with regard to the purpose of the law, one should rather ignore the lawyer and discuss the issue directly with the supervisory authority, i.e. submit one’s own interpretation as part of the licence application. This holds true especially before otherwise implementing expensive compliance elements that do not appear to be conducive to the purpose of the law.
By when do I have to submit the licence application?
“I want to go live with a PIS/AIS feature in Jan 2019 – when do I have to submit the licence application?” – Three to nine months ago would have been a good time, because the actual duration for PIS and/or AIS permissions is often strongly underestimated (between six and twelve months). In any case, the rule is that you have to get the corresponding permission before a go live of the regulated service. Unfortunately, the market view is blurred here by the PSD2 transition periods (e.g. protection of the status quo according to Para 68 Sec. 1, 2 ZAG) and this basic rule is hardly known.
After all, the BaFin does not yet perceptibly pursue any non-compliance, which additionally weighs the market in an apparent safety . Irrespective of a prosecution and prohibition by the BaFin, third-party service providers will have to provide proof of a corresponding permit for access to banks PSD2 APIs by September 2019 at the latest (though already according to latest experiences in some EU states and presumably as early as March 2019 for test purposes).
Even if one has actually screwed up, i.e. missed a deadline, succumbed to a misunderstanding or is simply uncertain as to one’s own licensing obligations, one should remain transparent: It is better to apologise to BaFin yourself and bring about clarification than to leave this to worried consumers or competitors in the worst case. BaFin pursues non-compliance very publicly, e.g. via the ad hoc newsletter with a corresponding effect for the reputation of the company.
Does a lack of permission mean the end of my service?
If you hardly see a chance to meet the costs of your own permission, you should take a closer look at the figo RegShield. Under certain conditions the RegShield makes it possible to refine your own service offerings with figo PIS and/or AIS services. figo takes care of compliance, while the partner can continue to focus on his use cases and users.