Article 5
Applications for authorisation
1.
For authorisation as a payment institution, an application shall be submitted to the competent authorities of the home Member State, together with the following:
(a)
a programme of operations setting out in particular the type of payment services envisaged;
(b)
a business plan including a forecast budget calculation for the first 3 financial years which demonstrates that the applicant is able to employ the appropriate and proportionate systems, resources and procedures to operate soundly;
(c)
evidence that the payment institution holds initial capital as provided for in Article 7;
(d)
for the payment institutions referred to in Article 10(1), a description of the measures taken for safeguarding payment service users’ funds in accordance with Article 10;
(e)
a description of the applicant’s governance arrangements and internal control mechanisms, including administrative, risk management and accounting procedures as well as arrangements for the use of ICT services in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council ( 4 ), which demonstrates that those governance arrangements and internal control mechanisms are proportionate, appropriate, sound and adequate;
(f)
a description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incident reporting mechanism which takes account of the notification obligations of the payment institution laid down in Chapter III of Regulation (EU) 2022/2554;
(g)
a description of the process in place to file, monitor, track and restrict access to sensitive payment data;
(h)
a description of business continuity arrangements including a clear identification of the critical operations, effective ICT business continuity policy and plans and ICT response and recovery plans and a procedure to regularly test and review the adequacy and efficiency of such plans in accordance with Regulation (EU) 2022/2554;
(i)
a description of the principles and definitions applied for the collection of statistical data on performance, transactions and fraud;
(j)
a security policy document, including a detailed risk assessment in relation to its payment services and a description of security control and mitigation measures taken to adequately protect payment service users against the risks identified, including fraud and illegal use of sensitive and personal data;
(k)
for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council ( 5 ) and Regulation (EU) 2015/847 of the European Parliament and of the Council ( 6 ), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations;
(l)
a description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system;
(m)
the identity of persons holding in the applicant, directly or indirectly, qualifying holdings within the meaning of point (36) of Article 4(1) of Regulation (EU) No 575/2013, the size of their holdings and evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution;
(n)
the identity of directors and persons responsible for the management of the payment institution and, where relevant, persons responsible for the management of the payment services activities of the payment institution, as well as evidence that they are of good repute and possess appropriate knowledge and experience to perform payment services as determined by the home Member State of the payment institution;
(o)
where applicable, the identity of statutory auditors and audit firms as defined in Directive 2006/43/EC of the European Parliament and of the Council ( 7 );
(p)
the applicant’s legal status and articles of association;
(q)
the address of the applicant’s head office.
For the purposes of points (d), (e) (f) and (l) of the first subparagraph, the applicant shall provide a description of its audit arrangements and the organisational arrangements it has set up with a view to taking all reasonable steps to protect the interests of its users and to ensure continuity and reliability in the performance of payment services.
The security control and mitigation measures referred to in point (j) of the first subparagraph shall indicate how they ensure a high level of digital operational resilience in accordance with Chapter II of Regulation (EU) 2022/2554, in particular in relation to technical security and data protection, including for the software and ICT systems used by the applicant or the undertakings to which it outsources the whole or part of its operations. Those measures shall also include the security measures laid down in Article 95(1) of this Directive. Those measures shall take into account EBA’s guidelines on security measures as referred to in Article 95(3) of this Directive, when in place.
2.
Member States shall require undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, as a condition of their authorisation, to hold a professional indemnity insurance, covering the territories in which they offer services, or some other comparable guarantee against liability to ensure that they can cover their
liabilities as specified in Articles 73, 90 and 92.
3.
Member States shall require undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, as a condition of their registration, to hold a professional indemnity insurance covering the territories in which they offer services, or some other comparable guarantee against their liability vis-à-vis the account servicing payment service provider or the payment service user resulting from non-authorised or fraudulent access to or non-authorised or fraudulent use of payment account information.
4.
By 13 January 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines, addressed to the competent authorities, in accordance with Article 16 of Regulation (EU) No 1093/2010 on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee referred to in paragraphs 2 and 3.
In developing the guidelines referred to in the first subparagraph, EBA shall take account of the following:
(a)
the risk profile of the undertaking;
(b)
whether the undertaking provides other payment services as referred to in Annex I or is engaged in other business;
(c)
the size of the activity:
(i)
for undertakings that apply for authorisation to provide payment services as referred to in point (7) of Annex I, the value of the transactions initiated;
(ii)
for undertakings that apply for registration to provide payment services as referred to in point (8) of Annex I, the number of clients that make use of the account information services;
(d)
the specific characteristics of comparable guarantees and the criteria for their implementation.
EBA shall review those guidelines on a regular basis.
5.
By 13 July 2017, EBA shall, after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 concerning the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of the first subparagraph of paragraph 1 of this Article.
EBA shall review those guidelines on a regular basis and in any event at least every 3 years.
6.
Taking into account, where appropriate, experience acquired in the application of the guidelines referred to in paragraph 5, EBA may develop draft regulatory technical standards specifying the information to be provided to the competent authorities in the application for the authorisation of payment institutions, including the requirements laid down in points (a), (b), (c), (e) and (g) to (j) of paragraph 1.
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.
7.
The information referred to in paragraph 4 shall be notified to competent authorities in accordance with paragraph 1.
( 4 ) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L333, 27.12.2022, p.1).
( 5 ) Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73).
( 6 ) Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 5.6.2015, p. 1).
( 7 ) Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC (OJ L 157, 9.6.2006, p. 87).