Bank of Lithuania Position on Professional Indemnity Insurance for Payment and Electronic Money Institutions Providing PIS and AIS

BANK OF LITHUANIA FINANCIAL MARKET SUPERVISION COMMITTEE DECISION ON THE APPROVAL OF THE POSITION OF THE BANK OF LITHUANIA ON THE CONDITIONS FOR PROFESSIONAL INDEMNITY INSURANCE IN CASES WHERE ELECTRONIC MONEY AND PAYMENT INSTITUTIONS PROVIDE ACCOUNT INFORMATION AND/OR PAYMENT INITIATION SERVICES 1 March 2022 No V 2022/(1.160.E-9004)-441-48 Vilnius Acting in accordance with Article 42(2)(1) of the Republic of Lithuania Law on the Bank of Lithuania and subparagraph 8.3 of the Rules of Procedure of the Financial Market Supervision Committee approved by Resolution No 03-175 of the Board of the Bank of Lithuania of 25 October 2021 on the setting-up of the Financial Market Supervision Committee and the approval of its rules of procedure, the Financial Market Supervision Committee hereby d e c i d e s: To approve the position of the Bank of Lithuania on the conditions for professional indemnity insurance in cases where electronic money and payment institutions provide account information and/or payment initiation services. Chair of the Committee Arūnas Raišutis

APPROVED by Decision No V 2022/(1.160.E-9004)-441-48 of the Financial Market Supervision Committee of 1 March 2022 THE POSITION OF THE BANK OF LITHUANIA ON THE CONDITIONS FOR PROFESSIONAL INDEMNITY INSURANCE IN CASES WHERE ELECTRONIC MONEY AND PAYMENT INSTITUTIONS PROVIDE ACCOUNT INFORMATION AND/OR PAYMENT INITIATION SERVICES As a result of recent developments in information and communication technologies, new types of payment services, such as payment initiation and account information services (hereafter – PIS and AIS), have emerged. Under Article 2(22) of the Republic of Lithuania Law on Payments (hereinafter – Law on Payments), a PIS means a service where a payment order is initiated at the request of the payment service user from a payment account opened with another payment service provider.1 Under Article 2(53) of the Law on Payments, an AIS means a payment service whereby aggregated online information is provided on one or more payment accounts held by the payment service user with another payment service provider or several payment service providers.2 Electronic money institutions and payment institutions that provide PIS and AIS (hereinafter – Institutions) are not subject to own capital requirements; however, in accordance with Article 5 of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (hereinafter – PSD2), they are obligated to hold professional indemnity insurance (hereinafter – Insurance) or a comparable guarantee against liability ensuring the meeting of their obligations to customers and managing the risks associated with their activities.3 This requirement under PSD2 has been transposed to Article 20 of the Republic of Lithuania Law on Payment Institutions (hereinafter – Law on Payment Institutions) and Article 11 of the Republic of Lithuania Law on Electronic Money and Electronic Money Institutions (hereinafter – Law on Electronic Money and Electronic Money Institutions). In accordance with the aforementioned legal instruments of the Republic of Lithuania, Institutions are obliged to hold Insurance of their liability for the compensation of claims/occurrences that may arise from (hereinafter – Mandatory Insured Events): • failure to fulfil or improper fulfilment of their obligations set out in Articles 38, 51, 52 and 53 of the Law on Payments; 1 PIS is essential in executing online trading payments as it creates a software bridge between the merchant’s website and the internet banking platform of the payment service provider that services the payer’s account, which enables the initiation of online trading payments. 2 An AIS provides the payment service user with aggregated information via the internet on one or more payment accounts held with one or more other payment service providers and accessible through the internet interlinking of the AIS provider. Thus, a payment service user can immediately receive a general view of their financial situation at any moment. 3 Paragraph 35 of the Preamble to PSD2 stipulates that Institutions do not hold client funds. Accordingly, it would be disproportionate to impose own funds requirements on those new market players.

2 • unauthorised or illegal access to payment account information or unauthorised or illegal use of such information, which may be incurred by the payment service provider managing the account or the payment service user. When carrying out the supervision of Institutions, the Bank of Lithuania has observed that they experience difficulties in obtaining Insurance, and in the view of the Bank of Lithuania, certain terms and conditions of Insurance offered by insurance companies are insufficient to ensure the protection of the interests of the customers of Institutions as required by the Law on Payment Institutions and the Law on Electronic Money and Electronic Money Institutions, which becomes an obstacle for Institutions in their ability to provide PIS and AIS to their customers in an unobstructed and efficient way. To the best of the Bank of Lithuania’s knowledge, the main reasons for the conservative attitude of insurers towards the provision of Insurance services to Institutions reflect insufficient knowledge and clarity regarding Insurance risks (as PIS and AIS are relatively new financial services), as well as undeveloped case-law in respect of Insurance. With a view towards providing clarity to the insurance market and Institutions regarding the terms and conditions of compulsory Insurance, and acting in accordance with Article 42(4)(1) of the Republic of Lithuania Law on the Bank of Lithuania, the Bank of Lithuania would like to draw the attention of insurers operating in Lithuania to the fact that the current low supply of Insurance is causing difficulties for Institutions in the provision of PIS and AIS. As the number of Institutions in both Lithuania and the European Economic Area grows, the need for Insurance will increase. Therefore, we expect that the terms and conditions of Insurance set out in this position will shed more light on the insurance market, encourage the proper assessment of the risks to be assumed so as to ensure adequate protection for PIS and AIS users, and bring more activity to the provision of Insurance services to Institutions. This position shallnot be considered as an official interpretation of the legislation. Since the Bank of Lithuania takes certain decisions only after assessing the entirety of the specific factual circumstances, this position shall also not be considered as a decision of the Bank of Lithuania in a specific case. This position applies to Insurance provided to Institutions that have started their operations and are operating in accordance with the Law on Payments, Law on Payment Institutions and/or Law on Electronic Money and Electronic Money Institutions, respectively. Taking into account the current situation of the Lithuanian insurance market and the legal acts regulating Insurance, the Bank of Lithuania has distinguished the minimum terms and conditions of Insurance under which insurers operating in the Republic of Lithuania shall provide Insurance services. These terms and conditions are described in the table below. Table: Minimum terms and conditions for the provision of Insurance to Institutions Sum insuredt The sum insured must be no less than the amount calculated in accordance with the Guidelines of the European Banking Authority, as

3 laid down in Article 5(4) of PSD2.4 Object of insurance The object of insurance is the civil liability of the policyholder for material damage caused to affected third parties as a result of unlawful acts (actions, omissions) committed by the policyholder during the period of validity of the Insurance Contract in the course of the provision of PIS and AIS. Insured event An insured event is the submission to the policyholder of a claim/ occurrence for damage caused by unlawful acts (actions, omissions) committed by the policyholder during the period of validity of the Insurance Contract that forms the basis for the policyholder’s civil liability to arise, provided that the claim/occurrence meets all of the following conditions:

1. concerns material damage caused to an affected third party;
2. is filed as a written claim/occurrence (bringing an action in court, where compensation for damages caused by the unlawful acts of the insurer is sought, shall also be regarded as filing a written claim);
3. concerns damage that was caused during the period of validity of the Insurance Contract in the course of the provision of PIS and AIS;
4. is lodged during the period of validity of the Insurance Contract and/or within a period of time specified by the parties, which shall be no less than 60 days after the expiry of the Insurance Contract;
5. is filed in respect of the PIS and AIS provided and covers the territories in which such services are provided;
6. is filed in respect of unlawful acts (actions, omissions) committed by the policyholder during the period of validity of the Insurance Contract, including but not limited to the following acts (actions, omissions):

• unauthorised payment transactions and/or unauthorised access to or use of payment account information; and/or
• non-execution of payment transactions, or improper or delayed execution of payment transactions, including payments and interest payable by the payment service user as a result of such an unlawful payment transaction; and/or
• non-execution of payment transactions, or improper or delayed execution of payment transactions where the policyholder acts as a responsible payment service provider or intermediary. Uninsured event A uninsured event means the filing of a claim/occurrence for damages/losses arising from: 4 Institutions should apply the Guidelines in accordance with Decision No 241-141 of the Director of the Supervision Service of the Bank of Lithuania of 11 June 2018 on the application of the European Banking Authority’s Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee, as provided in Article 5(4) of Directive (EU) 2015/2366.

4

1. unlawful acts (actions, omissions) of the policyholder that caused non-pecuniary damage;
2. damage/loss caused to the health and/or life of an injured third party;
3. destruction of and/or damage to the property of an affected third party;
4. intentional acts of the policyholder and/or their staff;
5. an act that caused damage whereby the policyholder and/or their staff are subjected to criminal liability;
6. making publicly available and/or using information about a person, their private life, or the activities of companies, institutions, or organisations for self-serving purposes, or otherwise infringing on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119, 4.5.2016, p. 1), unless the Insurance Contract stipulates otherwise;
7. any claim/occurrence attributable to, arising from, or otherwise directly and/or indirectly related to a cyberattack, unless the Insurance Contract stipulates otherwise. A cyberattack means a deliberate attack on the computer systems of the policyholder which is carried out by individual persons or organisations through malicious computer actions or malware with the aim of stealing, destroying, or corrupting data or damaging and/or destroying computer systems;
8. any act (action, omission) of the policyholder committed at a time when the policyholder was not authorised to render PIS and AIS;
9. the following events, whether directly or indirectly (regardless of whether other causes and circumstances may have contributed to the occurrence or amount of the damage/loss): 9.1. war, aggression, foreign hostilities, acts of a military nature (regardless of whether or not a war has been declared), civil war, insurrection, revolution, uprising, or internal disturbances which have reached the level of insurrection or the use of military or unlawful force; 9.2. any other act of a terrorist nature (endangering the life or health of many people or endangering property or infrastructure by the use or threat of use of force, e.g. explosions, arson, spreading radioactive, biological, or chemical harmful substances, preparations, or micro￾organisms, etc., in the pursuit of political, religious, ideological, or ethnic objectives, also with the aim of influencing or intimidating a

5 government and/or the public or any part of the public); 10. the infringement of intellectual property rights, as well as unfair competition and/or factors restricting competition; 11. the full or partial loss or destruction of property, documents (irrespective of the manner or form of their expression), or objects (including magnetic tapes, disks, floppy disks, and other data storage media, money) entrusted to and held in the possession of the insured person. It should be noted that the Mandatory Insured Events are closely related to the risks of making publicly available and/or using information about a person, their private life, the activities of companies, institutions, or organisations for self-serving purposes, or cyberattack risks (hereinafter – the Personal Data and Cyber Risks). The uninsured events specified in the terms and conditions of the Insurance offered by some insurers in the European Economic Area are defined more narrowly, i.e. they exclude the Personal Data and Cyber Risks. Therefore, the Bank of Lithuania, acting in accordance with the provisions of the Law on Payment Institutions and Law on Electronic Money and Electronic Money Institutions pertaining to Insurance and aiming to effectively protect the interests of the customers of Institutions, considers the terms and conditions of Insurance established in Lithuania’s insurance market, which do not cover indemnification-related Personal Data and Cyber Risks, to be insufficient for the operation of Institutions in compliance with the provisions of the Law on Payment Institutions and Law on Electronic Money and Electronic Money Institutions. In the opinion of the Bank of Lithuania, the insurance coverage provided should not only contain the aforementioned minimum terms and conditions of Insurance, but should also cover the Personal Data and Cyber Risks, i.e. those risks should not be included in the list of uninsured events or the list should contain exceptions for cases where uninsured events do not apply, for example: • making publicly available and/or using information about a person, their private life, the activities of companies, institutions, or organisations for self-serving purposes, the infringement of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119, 4.5.2016, p. 1), unless the Insurance Contract stipulates otherwise, with the exception of cases where such events are related to the insured events referred to in paragraph 6 of the “Insured Events” section of the minimum terms and conditions of Insurance; 5 5 Such events include:

• unauthorised payment transactions and/or unauthorised or illegal access to or use of payment account information for which the Institution is responsible; and/or
• non-execution of payment transactions, improper or delayed execution of payment transactions, including payments and interest payable by the payment service user as a result of such an unlawful payment transaction; and/or
• non-execution of payment transactions, improper or delayed execution of payment transactions where the Institution acts as a responsible payment service provider or intermediary.

6 • any claim/occurrence attributable to, arising from, or otherwise directly and/or indirectly related to a cyberattack, unless the Insurance Contract stipulates otherwise, with the exception of cases where such events are related to the insured events referred to in paragraph 6 of the “Insured Events” section of the minimum terms and conditions of Insurance. 6 A cyberattack means a deliberate attack on computer systems of the policyholder which is carried out by individual persons or organisations through malicious actions using a computer or malware, with the aim of stealing, destroying, or corrupting data or damaging and/or destroying computer systems.

---

6 Ibid.