FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449 Email: hirett.co.uk@gmail.com
These notes contain guidance for payment service providers that are required to complete the operational and security risk form in accordance with the Payment Services Regulations. The guidance relates to the assessments that must be attached to form REP018.
The payment service provider must attach to the form the latest:
- assessment of the operational and security risks related to the payment services the firm provides
- assessment of the adequacy of the mitigation measures and control mechanisms implemented in response to those risks
The operational and security risk assessment should include all the requirements contained in the EBA Guidelines for operational and security risks of payment services as issued at 12 December 2017. These include:
- a list of business functions, processes and information assets supporting payment services provided and classified by their criticality
- a risk assessment of functions, processes and assets against all known threats and vulnerabilities
- a description of security measures to mitigate security and operational risks identified as a result of the above assessment
- conclusions of the results of the risk assessment and summary of actions required as a result of this assessment
Payment service providers intending to make use of the exemption in article 17 of the SCA RTS must include:
(SCA RTS stands for Strong Customer Authentication Regulatory Technical Standards)
- a description of the payment services that the payment service provider intends to provide in reliance on this exemption
- an explanation of how the payment service provider’s processes and protocols achieve at least equivalent levels of security to those provided for by the Payment Services Directive
The assessment of the adequacy of mitigation measures and control mechanisms should include all the requirements contained in the EBA Guidelines for operational and security risks of payment services as issued at 12 December 2017. These include:
- a summary description of methodology used to assess effectiveness and adequacy of mitigation measures and control mechanisms
- an assessment of the adequacy and effectiveness of mitigation measures and control mechanisms
- conclusions on any deficiencies identified as a result of the assessment and proposed corrective actions