On 11 January 2023, the European Banking Authority (EBA) published a report setting out its finding following a peer review on the authorisation of payment institutions and e-money institutions under the revised Payment Services Directive (PSD2), taking into account the EBA guidelines on authorisation issued in 2017 in support of the Directive.

The report notes that Member State competent authorities (NCAs) have largely implemented the guidelines and, where implemented, the guidelines have achieved their objective of providing consistency and transparency in the authorisation information that prospective payment institutions (PIs) and electronic money institutions (EMIs) have to submit.

The report also notes that there are significant divergences in the practices of NCAs in assessing the information submitted, and the level of scrutiny of those documents varies considerably across NCAs. More specifically, there are divergent practices in relation to the assessment of business plans and applicants’ governance arrangements and internal control mechanisms. This includes the assessment of directors and persons responsible for the management of PIs and EMIs, and of whether applicants meet ‘local substance’ requirements.

The report also covers good supervisory practices and follow-up measures for NCAs including that all NCAs should ensure that applicants have a ‘three lines of defence’ model that includes the functions of risk management, compliance and internal audit, where the nature, scale and complexity of their activities makes this appropriate.

Finally, the report recommends to the European Commission to clarify, as part of its ongoing PSD2 review process, the delineation between the different categories of payment services and e-money issuance, the applicable governance arrangements for institutions, including the criteria that NCAs should use in assessing the suitability of management, and what having sufficient local substance requires.