In one of the latest publications I presented a very short summary of Polish Fintech Legal Ecosystem. Today I will disclose some details about the licensing process of various types of payment service providers that are allowed to conduct its business in Poland (including information about cross-border activities). The whole process may occasionally last for twelve months as the Polish Financial Supervision Authority (KNF) is meticulous when it comes to consumer protection as the case – in the end – usually is. The purpose of this publication is to present only basic information about the licensing and registration process depending on the type of provider. As I will focus on the Act on Payment Services banks will be generally excluded from the analysis (with minor exceptions). Today you will find some general remarks about the KNF’s approach to registration and licensing and registration process of the Account Information Service Provider (only) – recently added to Polish and European Union legal framework.
In Poland you have a few options to provide payment services. In principle, you will be allowed to conduct such business if you are a:
- Credit institution or a branch plus credit union;
- Payment institution (with the widest scope of permitted activities);
- Payment services office;
- E-money institution;
- Small payment institution;
- Account Information Service Provider;
- Agent (within the licence of its principal).
In principle, to provide payment services an entity has to obtain a specific licence granted by the KNF (some types of providers are allowed to get a registration instead of licence). As a result, any provider will fall into KNF’s supervision and in case of non-compliance with applicable regulations may face a supervisory action (e.g. fines or other acute sanctions). Registration is less burdensome, however, restricted only to certain types of providers (with limited scope of activities).
Irrespective of the applicable procedure (licence versus registration) the KNF will have to follow the administrative procedure envisaged by the Code of Administrative Procedure and provisions of specific regulations, including Act on Payment Services. KNF will also follow the Act on Supervision over the Financial Market. This is quite important information as an entity applying for a licence or registration will have to adhere to rules and deadlines set out in both acts. It is worth noting that the KNF’s decisions may be appealed in the course of administrative or judicial procedure.
For certain types of procedures, the KNF may also apply principles indicated in recommendations of European Union bodies, such as European Banking Authority. This might be a case for example for Account Information Service Providers as we are still waiting for specific regulation that will cover requirements for the registration. Therefore, at the moment the KNF may follow Guidelines on authorisation and registration under PSD2 to facilitate the process.
Account Information Service Providers – general remarks
The purpose of this publication is not to focus on all the requirements that are associated with AISP. General obligations for AISP can be found in Article 59s of the Act on Payment Services and Regulation 2018/389. The most important thing will be to ensure that sensitive data is properly secured. Therefore, it might be advantageous to follow PolishAPI recommendations on security and EBA recommendations on security and operational risks.
The procedure for granting a registration is indicated in Articles 117a-e, 136c and 137-142a of the Act on Payment Services. Article 117e lists also other provisions (mainly addressed to payment institutions) that are applicable. Therefore, it is highly recommended to not to rely only on Articles 117a-117d prior to drafting an application, in particular if the AISP would like to outsource its critical functions (e.g. EBA on outsourcing arrangements).
One of the most important thing is a proper insurance or bank guarantee that has to be ‘adjusted’ pursuant to regulation adopted by Minister of Finance that generally reflects the EBA guidelines on professional indemnity insurance. Without such insurance the KNF will not be able to grant authorisation (registration).
The procedure can be initiated only through a written application of the entity. The applications shall include various documents, i.a.:
- corporate governance structure,
- identification details of the applicant and its management board and other C-level executives,
- risk management solutions,
- internal audit principles,
- action and financial plan and information about ‘close ties’ of the applicant,
- relevant ‘personal’ statement of the applicant should also be added to the application.
As it might be difficult to assess what information should be included in each document, it is worth noting that draft regulation of Minister of Finance on documents accompanying the licensing process for payment institutions may be helpful as it is more detailed that rather general provisions of the Act. Remember also that the KNF may ask for other documents and information that can be found in the EBA recommendations on authorisation, including but not limited to:
- Security policy,
- Business plan,
- Complaints handling procedures,
- Business Continuity Plan,
- Outsourcing agreements.
If the application is correct and complete the KNF will grant a registration within 3 months. Should the applicant be registered (and included in the relevant register available on the KNF’s website) it may commence its operations. The KNF will provide a relevant confirmation (ex officio). Bear in mind that the KNF may request additional documents and clarifications that may prolong the whole process. Therefore, it is highly recommended to ensure that the application is not only complete but also very detailed to meet KNF’s expectations.
AISP will be supervised by the KNF. As a result, the AISP will have to pay annual supervisory fee. The amount of the fee has to be established pursuant to a regulation recently adopted the Prime Minister. The most important factor that will determine the amount of the fee is the number of users that were ‘serviced’ by the AISP in a given year (the fee should be credited on the KNF’s account by 31 may of each year).
It is important to mention that the AISP will be obliged to notify the KNF about the number of users and payment accounts that were accessed in the preceding year. The notification should be submitted to the KNF by 31 January.
The KNF may execute its competences if one of the following goals requires such action:
- regulatory compliance of the AISP or
- protection of user’s interest.
In such a case the KNF may issue a recommendation addressed to the AISP or ‘use’ its more ‘bothersome’ sanctions, including fines and personal limitations imposed on the executives. It is also possible to ‘close’ the AISP business.