Circular on Professional Indemnity Insurance or Guarantee for Payment Initiation Services and Account Information Services

FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo Circular Professional Indemnity Insurance/Guarantee for Payment Initiation Services and Account Information Services CIRCULAR: 2 /2022 DATE: 26.08.2022. THE CIRCULAR APPLIES TO: Payment institutions and e-money institutions providing payment initiation services and/or account information services, and account information service providers.

Professional Indemnity Insurance/Guarantee for Payment Initiation Services and Account Information Services 2 | Finanstilsynet Contents 1 Introduction 3 2 Requirements for the Professional Indemnity Insurance/Guarantee 3 2.1 Subject Matter Scope of the Professional Indemnity Insurance/Guarantee 3 2.1.1 Payment Initiation Services 3 2.1.2 Account Information Services 3 2.2 Geographical Scope of the Professional Indemnity Insurance/Guarantee 3 2.3 Size of the Professional Indemnity Insurance/Guarantee 4 2.4 Further Details on Professional Indemnity Insurance with Deductibles 4 3 Requirements for Information and Documentation 5 3.1 Application for Authorization and Subsequent Changes 5 3.2 Regarding Coverage Form and Services 5 3.3 Provider of the Professional Indemnity Insurance/Guarantee 5 3.4 Confirmation of Professional Indemnity Insurance/Guarantee 5 3.5 Calculation of the Size of the Professional Indemnity Insurance/Guarantee 5

Professional Indemnity Insurance/Guarantee for Payment Initiation Services and Account Information Services Finanstilsynet | 3 1 Introduction The revised Payment Services Directive (EU) 2015/2366 ("PSD 2") opens up for and regulates the provision of two new payment services; payment initiation services and account information services. One of the conditions for obtaining authorization to provide payment initiation services and account information services is that the applicant can document professional indemnity insurance or a guarantee for coverage of liability for damages. The requirement follows from PSD 2 Article 5(2) and (3), and is implemented in Norwegian law in the Financial Enterprises Act § 2-10 second paragraph and § 2-10a third paragraph, as well as the Financial Enterprises Regulations §§ 2-1a and 2-17a. The purpose of the requirement for professional indemnity insurance or similar guarantee is to contribute to ensuring that the customer and the account service provider are compensated for losses that may occur as a result of errors by the payment service provider. This circular applies to payment institutions and e-money institutions providing payment initiation services and/or account information services, as well as account information service providers. 2 Requirements for the Professional Indemnity Insurance/Guarantee 2.1 Subject Matter Scope of the Professional Indemnity Insurance/Guarantee 2.1.1 Payment Initiation Services The requirements for the scope of the professional indemnity insurance/guarantee are regulated in PSD 2, and it must cover liability in connection with: • unauthorized payment transactions in accordance with Article 73 • failure, deficiency, or delay in the execution of payment transactions in accordance with Articles 89 and 90 and • right of recourse in accordance with Article 92 The professional indemnity insurance/guarantee must additionally cover costs and expenses associated with the payment service customer and the account service provider claiming coverage for such matters. 2.1.2 Account Information Services The requirements for the scope of the professional indemnity insurance/guarantee are regulated in PSD 2 Article 5(3), and it must cover liability towards the payment service customer or the account service provider resulting from unauthorized or misused access to or use of account information. The professional indemnity insurance/guarantee must additionally cover costs and expenses associated with the payment service customer and the account service provider claiming coverage for such matters. 2.2 Geographical Scope of the Professional Indemnity Insurance/Guarantee The professional indemnity insurance/guarantee must cover the business in all countries where the institution provides payment initiation services and/or account information services. This must be explicitly stated in the terms or the confirmation from the provider, either by a general formulation that the insurance/guarantee applies to all countries where the institution operates, or by explicitly listing the individual countries where services are provided. In the latter case, the institution must ensure that the professional indemnity insurance/guarantee is extended correspondingly if the institution is to provide payment initiation services/account information services to more countries.

Professional Indemnity Insurance/Guarantee for Payment Initiation Services and Account Information Services 4 | Finanstilsynet 2.3 Size of the Professional Indemnity Insurance/Guarantee With authority from PSD 2 Article 5(4), the EBA has developed the Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance or other comparable guarantee under Article 5(4) of Directive (EU) 2015/2366. 1 These specify in more detail the requirements for the monetary size of the professional indemnity insurance/guarantee. The size of the professional indemnity insurance/guarantee is determined according to a formula based on the institution's risk profile, type of activity, and scope of business. The professional indemnity insurance/guarantee may not have a monetary limit that is lower than the minimum requirements following from the aforementioned guidelines. 2.4 Further Details on Professional Indemnity Insurance with Deductibles Finanstilsynet accepts that there are terms regarding deductibles in professional indemnity insurance, but the claim of the injured party may not be reduced as a result of any deductible in the contractual relationship between the payment service provider and the insurance company. To ensure that deductibles do not reduce the coverage for the injured party, it is stipulated in the Financial Enterprises Regulations §§ 2-1a and 2-17a that the injured party (the customer/account service provider) may claim coverage directly from the insurance provider, without first directing the claim against the institution. The insurance provider cannot raise defenses against the injured party other than those the institution itself could have raised. This means that the insurance company must claim any deductible from the institution and cannot deduct this from the amount paid out to the injured party. Professional indemnity insurance whereby the insurance provider invoices the institution for the deductible after the customer and account service provider have received their settlement will thus be permitted. There is a risk that the provider of payment initiation services/account information services will not settle any deductibles and that the insurance provider will therefore terminate the insurance relationship. To prevent the institution from operating without professional indemnity insurance, it is stated in the Financial Enterprises Regulations §§ 2-1a and 2-17a that a termination or lapse of the professional indemnity insurance is not effective against the injured party until one month after Finanstilsynet has received notice of the lapse. If the institution takes out and documents new professional indemnity insurance before the end of this period, the lapse of the insurance will become effective from the time the new insurance is provided. 1 EBA/GL/2017/08

Professional Indemnity Insurance/Guarantee for Payment Initiation Services and Account Information Services Finanstilsynet | 5 3 Requirements for Information and Documentation 3.1 Application for Authorization and Subsequent Changes When applying for authorization to provide payment initiation services and/or account information services, the institution must document professional indemnity insurance or a similar guarantee that meets the requirements set out in the Financial Enterprises Act and Regulations, as well as this circular. Furthermore, the institution must ensure that the requirements are met at all times. In the event of subsequent changes, for example when changing the insurance provider/provider of the guarantee, Finanstilsynet must approve the changes before they take effect. 3.2 Regarding Coverage Form and Services It must be clear from the application/notification which form of coverage has been chosen (professional indemnity insurance or guarantee), as well as which payment services the coverage applies to (payment initiation service, account information service, or both). 3.3 Provider of the Professional Indemnity Insurance/Guarantee The application/notification must contain information about the provider of the professional indemnity insurance/guarantee, including: • the company's name • organization number or other identifying number • the company's license • the supervisory authority for the company and • the company's contact details 3.4 Confirmation of Professional Indemnity Insurance/Guarantee It must be documented a confirmation from the provider of the professional indemnity insurance/guarantee stating that the professional indemnity insurance/guarantee meets the requirements in this circular's section 2. 3.5 Calculation of the Size of the Professional Indemnity Insurance/Guarantee The institution must attach an overview indicating how the minimum requirement for the monetary size of the professional indemnity insurance/guarantee has been calculated. The overview must indicate the basis for and the value assigned to each indicator in the various criteria risk, activity, and scope in accordance with the EBA guidelines, see circular section 2.3.

FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo post@finanstilsynet.no www.finanstilsynet.no