COMMISSION DELEGATED REGULATION (EU) 2019/411
of 29 November 2018
supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards setting technical requirements on development, operation and maintenance of the electronic central register within the field of payment services and on access to the information contained therein
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (1), and in particular the third subparagraph of Article 15(4) thereof,
Whereas:
(1) Pursuant to Article 15(1) of Directive (EU) 2015/2366, the European Banking Authority (EBA) is required to develop, operate and maintain an electronic central register that contains information as notified by the competent authorities in accordance with paragraph 2 of that Article.
(2) In order to ensure that the information contained in the electronic central register is accurately presented, EBA should ensure that the insertion or modification of information is carried out in a secure manner. To that end, EBA should grant personal access to the application of the register to members of the staff of the competent authorities. EBA and the competent authorities which have decided to transmit information to EBA automatically should ensure that safe and proportionate encryption techniques are used in the end-points and throughout the transmission of the information.
(3) Considering that it is necessary that the electronic central register contains standardised and consistent information for all payment institutions and electronic money institutions established in the Union, presented in the same format, the application of the register should perform data validation before any information inserted or modified by the competent authorities is made publicly available.
(4) It is necessary to ensure the authenticity, integrity and non-repudiation of the information contained in the electronic central register. EBA should therefore guarantee that the information is safely stored and that any inserted or modified information has been properly recorded.
(5) In order to enable payment service users and other interested parties to use the electronic central register efficiently, it is necessary that the application of the register be developed in a way that guarantees that it operate in a reliable manner and be accessible without interruptions.
(6) It is desirable that the users of the electronic central register be able to efficiently search the information in the register. Therefore, the information should be searchable on the basis of a number of different search criteria.
(7) In order to fulfil the needs of the payment industry, EBA should make the content of the register available for download through a standardised file. This would enable all interested parties to automatically search information in that file
(8) This Regulation is based on the draft regulatory technical standards submitted by EBA to the Commission.
(9) EBA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council (2),
HAS ADOPTED THIS REGULATION:
CHAPTER 1
GENERAL PROVISIONS
Article 1
Internal users of the register
1. For the purposes of this Regulation, a member of the staff of a competent authority who is responsible for manually inserting and modifying information in the electronic central register of the European Banking Authority (EBA) (the ‘electronic central register’) shall be an internal user.
2. Each competent authority shall appoint at least two members of its staff as internal users.
3. Competent authorities shall notify EBA of the identity of the persons referred to in paragraph 2.
Article 2
Management of the register
EBA shall manage the list of internal users, provide the internal users with the authentication details, and provide technical support to the competent authorities.
Article 3
Access by internal users
1. The application of the electronic central register shall be accessible to internal users only by using two-factor authentication.
2. EBA shall provide a default username and password and the other security credentials to the internal users for accessing the application of the electronic central register.
3. Internal users shall be required to change their default username and password at their first log-in into the application of the electronic central register.
4. EBA shall ensure that the authentication method applied allows the identification of each internal user.
5. EBA shall ensure that the application of the electronic central register does not allow information to be inserted or modified in the electronic central register by persons who do not have access to the application of the register or who do not have the appropriate permissions to do so.
Article 4
Public users
1. For the purposes of this Regulation, public users of the electronic central register shall be payment service users and other interested parties, who access the electronic central register through the website of EBA.
2. Public users shall be able to access the electronic central register without using access credentials.
3. The access of public users to the electronic central register shall allow them only to read, search and download the information contained in the register. Public users shall not have any rights to modify the content of the register.
4. When public users access the electronic central register, the website of EBA shall display the search criteria specified in Article 15(1).
CHAPTER 2
TRANSMISSION OF INFORMATION BY COMPETENT AUTHORITIES TO EBA
Article 5
Transmission of information by competent authorities to EBA
1. Competent authorities shall transmit to EBA the information to be contained in the electronic central register manually via a web user interface or automatically via an application to application interface.
2. Competent authorities shall notify EBA about their preferred approach for transmission of information under paragraph 1.
3. Competent authorities which have notified EBA that their preferred approach is to transmit information automatically shall be allowed to transmit information manually upon prior notification to EBA.
4. Competent authorities shall provide EBA with a hyperlink to their national public register. EBA shall make those hyperlinks publicly available in the electronic central register.
Article 6
Manual insertion and modification of information
1. Competent authorities which have decided to transmit information to EBA manually shall insert or modify information for their Member States in the web application of the electronic central register. The information shall be entered in the format specified in paragraphs 2 to 9 of Article 1 of the Commission Implementing Regulation (EU) 2019/410 (3).
2. The manually inserted or modified information shall be made publicly available in the electronic central register after it has been validated by the application of that register in accordance with Article 8.
3. When manually inserted or modified information fails to be validated by the application of the electronic central register, the information shall be rejected and not be made publicly available. The internal user shall make the insertion or modification once again using the corrected information.
4. EBA shall insert a date and time stamp in the manually inserted or modified information in the electronic central register. That date and time stamp shall display the moment of the last change to the register.
5. Competent authorities shall ensure that all amendments to the content of their national public registers related to the granting or withdrawal of authorisation or registration are inserted in the electronic central register of EBA on the same day.
Article 7
Automated transmission of information
1. Competent authorities which have decided to transmit information to EBA automatically shall transmit the information directly from the applications of their national public registers to the application of the electronic central register.
2. EBA and the competent authorities shall ensure secure transmission of information between the applications of their respective registers in order to safeguard the authenticity, integrity and non-repudiation of the information transmitted, using strong and widely recognised encryption techniques.
3. Competent authorities shall transmit to EBA in a single batch file with a common standard and structured format (‘the batch file’) the whole set of information set out in paragraphs 2 to 9 of Article 1 of the Implementing Regulation (EU) 2019/410 contained in their national public registers.
4. The transmission of the batch file shall take place at least once each day on which the content of a national public register has been amended.
5. Where competent authorities amend the content of their national public registers in relation to the granting or withdrawal of authorisation or registration and they are unable to transmit those changes automatically, they shall insert them manually on the same day.
6. EBA shall allow the competent authorities to transmit a batch file once a day irrespective of whether the content of their national public registers has been amended.
7. The information automatically transmitted to the electronic central register shall be made publicly available in the register as soon as possible after the batch file has been processed and validated by the application of the electronic central register in accordance with Article 8 and at the latest by the end of the day on which the batch file was processed and validated. All information previously transmitted, or manually inserted by a competent authority, which is publicly available in the electronic central register shall be replaced by the subsequently transmitted information by that competent authority.
8. EBA shall not allow competent authorities to transmit a new batch file before they have received the outcome of the validation of their previously transmitted batch file.
9. Where automatically transmitted information fails to be validated by the application of the electronic central register, the whole set of information contained in the batch file shall be rejected and not be made publicly available in that register.
10. EBA shall insert a date and time stamp in the information automatically transmitted to the application of the electronic central register. That date and time stamp shall display the moment of the last synchronisation between the electronic central register and the national public registers.
Article 8
Validation of information
1. The application of the electronic central register shall validate information transmitted by competent authorities to EBA in order to avoid any missing information or duplication of information.
2. In order to avoid any missing information, the application of the electronic central register shall perform data validation on the fields filled in or transmitted by the competent authorities to EBA with the exception of the field for the commercial name of the natural or legal person.
3. In order to avoid duplication of the information, the application of the register shall perform data validation on each of the following fields:
(a) for payment institutions, natural or legal persons benefiting from an exemption pursuant to Article 32 of Directive (EU) 2015/2366, account information service providers, electronic money institutions, legal persons benefiting from an exemption pursuant to Article 9 of Directive 2009/110/EC of the European Parliament and of the Council (4), the institutions referred to in points (4) to (23) of Article 2(5) of Directive 2013/36/EU of the European Parliament and of the Council (5) and the persons whose authorisation or registration was withdrawn:
(i) the national identification number;
(ii) the relevant type of natural or legal person as referred to in paragraphs 2 to 9 of Article 1 of Implementing Regulation (EU) 2019/410;
(iii) authorisation or registration date;
(b) for agents of payment institutions, natural or legal person benefiting from an exemption pursuant to Article 32 of Directive (EU) 2015/2366, account information service providers, electronic money institutions and legal persons benefiting from an exemption pursuant to Article 9 of Directive 2009/110/EC:
(i) the national identification number of the agent;
(ii) the national identification number of the natural or legal person on behalf of which the agent provides payment services;
(iii) registration date;
(c) for service providers carrying out services under points (i) and (ii) of point (k) and point (l) of Article 3 of Directive (EU) 2015/2366:
(i) the national identification number of the service provider;
(ii) the exclusion under which the service provider carries out activities;
(iii) the registration date.
4. Where the status of authorisation or registration of a natural or legal person, which has agents providing payment services on its behalf, has changed from ‘authorised’ or ‘registered’ to ‘withdrawn’, the application of the electronic central register shall not perform data validation on the agents linked to that person.
5. Competent authorities shall receive a response from the application of the electronic central register about the result of the data validation process as soon as possible in a clear and unequivocal way. The result of the data validation shall also include the percentage change to the content of the information previously transmitted.
6. Where the transmitted information fails the validation process, EBA shall include in its response to the competent authorities all the reasons for the rejection.
7. In the event of a failed validation where the amendments to the content of the national public register are related to granting or withdrawal of authorisation or registration, competent authorities which transmit information automatically shall, by the end of the day on which the validation failed, transmit a corrected or updated batch file with the whole set of information or manually insert the new amendments made to the content of their national public registers related to the granting or withdrawal of authorisation or registration.
8. For the purposes of the validation of national identification numbers competent authorities shall notify to EBA the types and the formats of the national identification numbers which they use in their national registers.
9. The application of the electronic central register shall enable competent authorities to insert an agent more than once in the register where the agent provides payment services on behalf of more than one natural or legal person. Each insertion shall be treated as a separate record.
Article 9
Information concerning agents
1. EBA and the competent authorities shall ensure that agents inserted in the electronic central register are linked to the natural or legal person on behalf of which they provide payment services.
2. Where a natural or legal person, which has agents providing payment services on its behalf, has its status of authorisation or registration changed from ‘authorised’ or ‘registered’ to ‘withdrawn’, the status of the agents linked to that natural or legal person shall be changed from ‘active’ to ‘inactive’.
Article 10
Responsibility of competent authorities
1. Competent authorities shall be responsible for the accuracy of information manually inserted in or automatically transmitted to the application of the electronic central register about the natural or legal persons authorised or registered by them, as well as the agents and service providers carrying out services under points (i) and (ii) of point (k) and point (l) of Article 3 of Directive (EU) 2015/2366 listed in their national public registers.
2. The application of the electronic central register shall enable internal users and applications of the national public registers to insert or modify the information for which their respective competent authority is responsible.
3. Competent authorities shall not be able to modify the information for which other competent authorities are responsible.
4. Competent authorities shall not be able to insert information concerning payment institutions, natural or legal persons benefiting from an exemption pursuant to Article 32 of Directive (EU) 2015/2366 and their agents, account information service providers, the institutions referred to in points (4) to (23) of Article 2(5) of Directive 2013/36/EU, electronic money institutions, legal persons benefiting from an exemption pursuant to Article 9 of Directive 2009/110/EC and their agents, and service providers carrying out services under points (i) and (ii) of point (k) and point (l) of Article 3 of Directive (EU) 2015/2366, established in another host Member State.
CHAPTER 3
NON-FUNCTIONAL REQUIREMENTS
Article 11
Safety requirements
1. The application data of the electronic central register shall be backed up and the backup copies shall be stored for the purposes of disaster recovery.
2. In the event that any security issues are detected, EBA shall be able to immediately shut down the application of the electronic central register and prevent any access to the server.
3. The application of the electronic central register shall be able to recover from crashes without undue delay and to continue its normal operation.
4. In the event that the application of the electronic central register is down and cannot process batch files transmitted by the competent authorities, that application shall process the most recent files which were transmitted by each competent authority after restoring its normal operation.
5. EBA shall notify the competent authorities of any failure or down-time of the application of the electronic central register.
6. Where a failure of the application of the electronic central register has affected the processing of a batch file transmitted by a competent authority, EBA shall request the competent authority to submit a new batch file. Where the competent authority is unable to do so, it shall request EBA to roll-back the data to the version that was submitted with the last validated batch file prior to the failure.
7. EBA shall develop its register in accordance with the international standards for cyber security.
Article 12
Availability and performance requirements
1. The electronic central register shall be able to accommodate the initial set of data currently existing in the public registers maintained by the competent authorities.
2. The application of the electronic central register shall be able to accommodate an increase in the volume of the information received from competent authorities. Such an increase shall not affect the availability of the register.
3. EBA shall ensure that the electronic central register becomes available immediately after normal operation has been restored following any failure of the application of the register.
4. The automated transmission of information referred to in Article 7 shall not affect the availability of the electronic central register.
5. EBA shall inform public users of any unavailability of the electronic central register as well as of the reasons for that unavailability and the recovery of that register by displaying that information on its website
Article 13
Maintenance and support requirements
1. EBA shall monitor the operation of the application of the register, analyse its performance and, where necessary, introduce changes to ensure that the application complies with the requirements set out in this Regulation.
2. EBA shall monitor the regular transmission and update of information in the electronic central register by the competent authorities.
3. EBA shall review the suitability of the non-functional requirements specified in this Chapter on a regular basis.
4. EBA shall provide support to the competent authorities in relation to the operation of the electronic central register. For that purpose EBA shall introduce a functionality in the application of the register enabling competent authorities to submit a query. EBA shall put all such queries in a queue.
5. EBA shall respond to the queries referred to in paragraph 4 without undue delay by the end of the day on which the query was made. EBA shall respond to the queries in order of reception.
6. EBA shall provide the competent authorities with a testing environment and support for that technical environment.
7. EBA shall establish a designated channel for communication of incidents related to the operation of the electronic central register.
Article 14
Audit trail
1. The electronic central register shall enable recording of all the information transmitted by competent authorities to EBA.
2. The electronic central register shall enable recording of all automated or manual actions performed by the applications of the national public registers or by internal users respectively, as well as the time when those actions were performed.
3. EBA shall be able to access the data recorded pursuant to paragraphs 1 and 2.
4. EBA shall be able to extract reports from the data recorded pursuant to paragraphs 1 and 2 which enable it to monitor and interpret the information transmitted by the competent authorities.
CHAPTER 4
ACCESS TO THE INFORMATION
Article 15
Search of information
1. The electronic central register shall enable users of the register to search information in the register on the basis of different search criteria including each of the following:
(a) the relevant type of natural or legal person as referred to in paragraphs 2 to 9 of Article 1 of Implementing Regulation (EU) 2019/410;
(b) the name of the natural or legal person;
(c) the national identification number of the natural or legal person;
(d) the name of the competent authority responsible for the operation of the national public register;
(e) the country where the natural or legal person is established;
(f) the city where the natural or legal person is established;
(g) the payment services and electronic money services provided;
(h) the host Member State in which the authorised or registered payment institution, electronic money institution or account information service provider provides services or has notified its intention to provide services;
(i) the payment and electronic money services provided in the host Member State;
(j) the status of authorisation or registration;
(k) the date of authorisation or registration;
(l) the date of withdrawal of authorisation or registration.
2. The electronic central register shall perform the search of information when at least one of the search criteria is filled in.
3. The electronic central register shall enable users of the register to use any combination of the criteria specified in paragraph 1.
4. The electronic central register shall enable users of the register to select the information in items (a), (d), (e) and (j) of paragraph 1 from a drop-down menu.
5. The electronic central register shall enable users of the register to select the search criteria referred to in points (g), (h) and (i) of paragraph 1 from a multi-select menu.
6. EBA shall ensure that searches that enable the use of symbols or signs to replace individual characters and/or words (wildcard searches) are available for users of the register to increase the breadth of a search.
7. EBA shall inform the users of the register how to use the symbols referred to in paragraph 6 by displaying the information on its website.
Article 16
Display of search results
1. The electronic central register shall display as search results all natural and legal persons which meet the search criteria filled in by the user of the register.
2. The information displayed concerning the natural and legal persons shall include the following:
(a) the name of the person;
(b) the national identification number of the person;
(c) the country where it is established;
(d) the city where it is established;
(e) the relevant type of natural or legal person as referred to in paragraphs 2 to 9 of Article 1 of Implementing Regulation (EU) 2019/410;
(f) the payment services and electronic money services provided.
3. When selecting the name of a natural or legal person from the displayed search results, the information specified in paragraphs 2 to 9 of Article 1 of Implementing Regulation (EU) 2019/410 shall be displayed for the respective person, including the latest date and time stamp inserted by EBA.
4. Agents shall be displayed both as a separate record and as part of the record of the natural or legal person on behalf of which they provide payment services.
5. EBA shall accurately display in the electronic central register the information transmitted by the competent authorities and ensure that the information displayed is complete.
Article 17
Download of information
1. EBA shall make the content of the electronic central register available for manual and automated download by public users of the register by copying the content to a standardised file.
2. EBA shall update the standardised file referred to in paragraph 1 at least twice a day at pre-determined intervals. EBA shall disclose the pre-determined intervals for such updates.
CHAPTER 6
FINAL PROVISIONS
Article 18
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 29 November 2018.
For the Commission
The President
Jean-Claude JUNCKER
(1)
OJ L 337, 23.12.2015, p. 35
.
(2) Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (
OJ L 331, 15.12.2010, p. 12
).
(3) Commission Implementing Regulation (EU) 2019/410 of 29 November 2018 laying down implementing technical standards with regard to the details and structure of the information to be notified, in the field of payment services, by competent authorities to EBA pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council (see page 20 of this Official Journal).
(4) Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (
OJ L 267, 10.10.2009, p. 7
).
(5) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (
OJ L 176, 27.6.2013, p. 338
).
Feedback