Significant Divergence In PSD2 Authorisation Processes, EBA Says

January 13, 2023
<
Back
A new report by the European Banking Authority (EBA) uncovers disparity among EU member states when it comes to the authorisation and licensing of payments and e-money firms.

A new report by the European Banking Authority (EBA) uncovers disparity among EU member states when it comes to the authorisation and licensing of payments and e-money firms.

The EU’s banking watchdog has published its peer review on authorisation of payment institutions and e-money institutions under the revised Payment Services Directive (PSD2).

The review generally found increased transparency and consistency of the information required in the authorisation process. However, it also identified significant divergences in competent authorities’ assessment and the degree of scrutiny of licence applications.

The EBA uncovered that although competent authorities have largely implemented authorisation guidelines that it unveiled in 2017, gaps remain, especially in how information is obtained from applicants.

This means that they lack the ability to properly scrutinise applications looking to obtain payments and/or e-money licences, which is at odds with the information required under the EBA Guidelines.

There are also significant divergences in the practices of authorities when it comes to assessing the information submitted by companies and the level of scrutiny of these documents varies across the different member state regulators.

“More specifically, there are divergent practices in relation to the assessment of business plans and applicants’ governance arrangements and internal control mechanisms,” the EBA said.

Examples cited by the EU banking authority include the assessment of directors and persons responsible for the management of relevant firms, as well as whether applicant companies meet the requirement in PSD2 to have their head office in the jurisdiction where they are seeking authorisation.

“Together, these deficiencies mean that applicants remain subject to different supervisory expectations as regards the requirements for authorisation as a PI or EMI across the EEA [European Economic Area],” the EBA suggests.

According to the EBA, this gives rise to issues in terms of supervisory level playing field and "forum shopping" that undermines the objectives of the directive and the guidelines of establishing a single EU payments market.

As part of the report, the regulator has set out recommendations for competent authorities that will help harmonise the regime in the trading bloc.

Follow-up measures include:

  • Reviewing their authorisation resources and processes to ensure that they remain adequate to scrutinise applications within a reasonable timeframe.
  • Ensuring that applicants have a "three lines of defence" model that includes the functions of risk management, compliance and internal audit (providing the nature, scale and complexity of their activities makes this appropriate).
  • Ensuring that applicants are effectively managed and controlled from the jurisdiction in which they seek authorisation.

Numbers and timelines

The report reveals which jurisdictions have the most licence applications.

Between 2019 and 2021, the most licence applications (236) were received by the Bank of Lithuania. However, less than a third of these applications (64) were accepted.

Lithuania has for several years attempted to position itself as a fintech hub in the region, with one central banker stating in an interview with VIXIO in the summer that its approach took inspiration from the UK’s Financial Conduct Authority.

The regulator was also active at conferences prior to the UK’s exit from the trading bloc, identifying an opportunity to attract firms to register in the country prior to Brexit.

Meanwhile, the Netherlands, Denmark and Sweden, often considered payments innovation leaders in the EU, also received a high number of applications, according to the report.

Portugal, Austria and Liechtenstein received the least applications, while Romania and Portugal granted the fewest licences.

The report also shows that the average duration of the overall authorisation process varies significantly across competent authorities, ranging from four to up to 24 months. For example, applications to Poland (20-24 months) and Portugal (16-18 months) were found to take the longest, while in Estonia, Latvia, Sweden and Slovakia, the average process took four to six months.

The majority of application processes among competent authorities take seven-nine months, the data revealed.

The quality of applications and applicants’ timeliness in addressing issues identified appear to be key reasons for delay, but different timelines set out in national laws and different procedural approaches in the acceptance and assessment of applications also cause variations in duration.

Different approaches

“It appears that there is a discrepancy between CAs [competent authorities] as to how they perceive their role in the authorisation process,” the report says, pointing out that this can impact the length of the authorisation process.

Some authorities, such as Belgium, Spain and France, guide applicants in addressing the issues identified. They provide detailed feedback to applicants on where they are not meeting requirements and grant them more time to address those deficiencies in their application.

Spanish authorities explained to the EBA that in some instances additional time is granted to applicants to reinforce their local structure where it is deemed insufficient, which affects the duration of the authorisation process.

Sweden’s national competent authority, however, argued that it is not their role to guide financial institutions on how they should set up their business to fulfil all the regulatory requirements.

Rather, it is the applicant’s responsibility to prove to the regulator that it fulfils all the regulatory requirements to receive an authorisation.

“The CA explained that it normally sends out only one request to applicants to materially supplement their application where it identifies material deficiencies”, the report points out, noting that the regulator usually declines an application in the early stages of the authorisation process where the issues identified are not addressed within the deadline set.

Authorities in Denmark and the Netherlands also indicated that they usually decline an application in the early stages of the authorisation process where they identify material deficiencies in the application, or provide feedback to the applicant in the early stages of the authorisation process regarding the issues identified, allowing them to voluntarily withdraw their application.

Member states including Belgium, Portugal and Luxembourg encourage applicants to apply after a “pre-screening” process with the local authorities.

“Several of these CAs indicated that, in their experience, this helps prospective applicants to better understand the CA’s expectations and how they should fulfil the legal requirements, and also helps filter out applications with material deficiencies before an application is submitted,” the report points out.

This approach has led to efficiency gains in the subsequent authorisation process by ensuring that less time is spent by both applicants and CAs on applications that will not materialise into an authorisation.

In the case of Luxembourg, this pre-application phase was introduced in August 2021, following the transfer of the competence to grant an authorisation from the Ministry of Finance to the financial watchdog, the Commission de Surveillance du Secteur Financier (CSSF).

Although it is early days, the authority confirmed that efficiency gains are already noticeable.

In previous years, the authority received many applications with numerous documents and information that had to be constantly amended due to discussions on the legal qualification of the activities.

The European Commission is currently gearing up to publish its PSD2 review.

Most expect it in 2023, and the EBA has so far attempted to take an influencing role, having issued recommendations on changes to the commission during the summer.

The review itself recommends that the European Commission clarify, as part of its ongoing PSD2 review process, the delineation between the different categories of payment services and e-money issuance, the applicable governance arrangements for institutions, including the criteria that competent authorities should use in assessing the suitability of management, and what having sufficient local substance requires.

As such, reports such as this are likely to gain renewed attention from both market players and national regulators looking to anticipate next steps.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

March 14, 2025

Regulatory Influencer: European Union's Approach to ICT Incident Reporting

In recent weeks, the European Commission has published two significant regulations under the Digital Operational Resilience Act (DORA) which will contribute towards firms’ compliance efforts, standardising reporting of major ICT-related incidents and cyber threats. The first, Commission Delegated Regulation (EU) 2025/301, sets out technical standards for the content and timing of mandatory incident reports and voluntary cyber threat notifications. It sets out classification criteria, reporting deadlines and required details, such as impact assessments, remediation efforts and communication with authorities. Meanwhile, Commission Implementing Regulation (EU) 2025/302 provides standardised templates, forms and procedures for reporting. This regulation mandates uniform reporting formats, secure submission channels and requirements for complete and updated information. Both regulations, published in the Official Journal of the EU, took effect on March 11, 2025, 20 days after entering the statute book.
Read article
March 14, 2025

Week In Crypto: US Stablecoin Battle Heats Up As House, Senate Reintroduce Bills

Although US lawmakers appear to be aligned on the need for federal stablecoin legislation, they are no closer to an agreement on which bill should prevail and what provisions it should include.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
E-Money
European Union

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?