PSD2 - Maintaining robust risk and control governance while meeting regulatory requirements

18 March 2021

Governance, Risks and Controls

The second Payment Services Directive (PSD2) aims to open up provision of banking and payments services to new players in financial services beyond the traditional services provided by the established banks. Under the supervision of the Bank of England and the Open Banking Implementation Entity (OBIE) created by the Competition and Markets Authority, the UK is fast becoming a leader in provision of innovative payments technologies and services.

A key principle of PSD2 is the development, testing and implementation of APIs with built-in Strong Customer Authentication (SCA) to allow Third Party Providers (TPPs) to access accounts and provide payments services.

New start-up digital banks and electronic money institutions are growing at a fast rate to join an increasingly competitive and innovative sector. While firms focus on developing and implementing technology solutions they need to ensure they have robust risk and control governance and management for meeting regulatory requirements to maintain competitiveness in the market.  

Regulatory reporting requirements for payments services firms

PSD2 requires payments services providers to implement or enhance their capabilities to enable compliance with the Directive. The European Banking Authority (EBA) has set a compliance date of 31 December 2020. This is in an extension to the original deadline of 14 September 2019.   

The EBA has created a set of security and operational standards, Regulatory Technical Standards (RTS), for payments services firms to operate under for PSD2 compliance. These are further explained in the Guidelines on Security Measures for Operational and Security Measures Risks under PSD2 (2017).

The Guidelines specify requirements for the establishment, implementation and monitoring of the security measures that payment service providers must take to manage operational and security risks relating to the payment services they provide. They cover the following areas:

  • Risk Assessment
  • Protection
  • Detection
  • Business Continuity
  • Testing of security measures
  • Situational awareness and continuous learning
  • Payment service user relationship management 

These measures are not necessarily a separate set of measures that an organisation needs to have but should be a part of the organisation’s existing risk and control environment.

Further to the implementation of the RTS there are requirements on operational and security risk reporting by payments services firms to a national competent authority (the FCA in the UK).

Under the Payments Service Regulation (PSR) 2017, the FCA requires payments services providers to submit an annual assessment (REP018) of their operational and security risks and control mechanisms related to payment services. The submission must include an audit of the IT security measures by independent auditors. The operational and security risk assessment should include all the requirements contained in the EBA Guidelines. Payments services providers are expected to have effective risk assessment in place to identify potential issues on an ongoing basis and implement appropriate controls to mitigate them.

How can we help you?

We have strong assurance and audit experience over technology, operational and cyber risk working with firms within the financial sector, including digital banking clients.

Our Digital and Risk Advisory team have experience of conducting assurance and audit work over IT governance, IT operational and security processes and controls, cyber security, cyber and operational resilience, payments certifications, project governance and management and GDPR.

We have assisted a variety of clients with enhancing their IT risk and control environments and achieve compliance with regulatory and industry expectations and certifications. We offer a range of services to help firms that are tailored to a firm’s business model, governance structure, governance arrangements and operations.

For more information, please contact Evan Devetzis or Riza Unal to discuss further.