1. A programme of operations (API, EMI) setting out, in particular, the type of payment or e-money services envisaged.
2. A business plan (API, EMI) including a forecast budget calculation for the first three financial years which demonstrates that the applicant is able to employ appropriate and proportionate systems, resources and procedures to operate soundly.
3. Evidence that the applicant for an API authorisation holds initial capital for the purposes of regulation 6(3). The initial capital requirement for authorised EMIs is €350,000.
4. Where regulation 23 (safeguarding requirements) applies, a description of the measures taken for safeguarding payment service users’ funds in accordance with that regulation.
5. A description of the applicant’s governance arrangements and internal control mechanisms, including administrative risk management and accounting procedures, which demonstrates that such arrangements, mechanisms and procedures are proportionate, appropriate, sound and adequate.
6. A description of the applicant’s procedure for monitoring, handling and following up security incidents and security-related customer complaints, including an incidents reporting mechanism which takes account of the notification obligations under regulation 99 (incident reporting).
7. A description of the applicant’s process for filing, monitoring, tracking and restricting access to sensitive payment data.
8. A description of the applicant’ s business continuity arrangements, including a clear identification of the critical operations, effective contingency plans, and a procedure for regular testing and reviewing of the adequacy and efficiency of such plans.
9. A description of the principles and definitions used by the applicant in collecting statistical data on performance, transactions and fraud.
10. A statement of the applicant’s security policy, including—
(a) a detailed risk assessment in relation to the payment services to be provided, including risks of fraud and illegal use of sensitive and personal data, and
(b) a description of—
(i) the applicant’s security control and mitigation measures to provide adequate protection to users against the risks identified,
(ii) how such measures ensure a high level of technical security and data protection, including such security and protection for the software and IT systems used by the applicant and any undertakings to which the applicant outsources any part of its operations, and
(iii) the applicant’s measures to comply with regulation 98(1) (management of operational and security risks), taking into account any guidelines issued by the European Banking Authority under Article 95(3) of the payment services directive.
11. For an applicant subject to the obligations in relation to money laundering and terrorist financing under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and Regulation 2015/847/EU of the European Parliament and of the Council of 20th May 2015 on information accompanying transfers of funds(a), a description of the internal control mechanisms which the applicant has established in order to comply with those obligations.
12. A description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and the off-site and on-site checks that the applicant undertakes to perform on them at least annually, a description of outsourcing arrangements, and a description of its participation in any national or international payment system.
13. In relation to each person holding, directly or indirectly, a qualifying holding in the applicant—
(a) the size and nature of their qualifying holding; and
(b) evidence of their suitability taking into account the need to ensure the sound and prudent management of a payment institution.
14.—(1)The identity of directors and persons who are or will be responsible for the management of the applicant and, where relevant, persons who are or will be responsible for the management of the payment services activities of the applicant.
(2) Evidence that the persons described in sub-paragraph (1) are of good repute and that they possess appropriate knowledge and experience to perform payment services.
15. The identity of the auditors of the applicant, if any.
16.—(1) The legal status of the applicant and, where the applicant is a limited company, its articles.
(2) In this paragraph “articles” has the meaning given in section 18 of the Companies Act 2006 (articles of association)(a).
17. The address of the head office of the applicant.
18. For the purposes of paragraphs 4, 5, 6 and 12, a description of the audit arrangements of the applicant and of the organisational arrangements the applicant has set up with a view to taking all reasonable steps to protect the interests of its payment service users and to ensure continuity and reliability in the performance of payment services.
19. In the case of an applicant which proposes to provide payment initiation services or account information services, the professional indemnity insurance or comparable guarantee which it holds in relation to such services.