Under the Payment Service Regulations 2017 (PSRs), providers of payment services must apply certain security requirements. Find out what services are affected and what you need to do to apply for authorisation or registration.
The PSRs aim to increase protection for customers and make payment services safer and more resilient. They do this by regulating account information and payment initiation services and introducing security requirements that all payment service providers (PSPs) must follow.
If you provide payment initiation services, you need to apply for authorisation. If you only provide account information services, you can apply for registration.
Information you must provide for authorisation and registration
As part of the authorisation and registration process, you will need to demonstrate that you have implemented effective security systems and controls, access to sensitive payment data, incident management and business continuity.
You need to:
- provide security policies and procedures, including a risk assessment in relation to your payment services, and describe security controls and mitigation measures designed to protect payment service users
- demonstrate that you have effective processes to monitor and handle incidents and security-related customer complaints
- explain how you will deal with significant continuity disruptions, such as the failure of key systems, the loss of key data, or lack of access to premises
- demonstrate that you have an effective process to file, monitor, track, and restrict access to sensitive payment data such as data classification, access management, and monitoring tools
You are responsible for the activities of your external partners. So, you will also be asked about outsourcing arrangements as part of the authorisation and registration process.
Information you must provide after authorisation or registration
If you’re a PSP, you must identify, classify and manage risks affecting the payment services you provide.
- establish an effective risk management framework to identify and classify risks affecting the services they provide
- be able to identify and implement steps required to manage these risks
- ensure that your risk management framework can identify new and emerging risks
You should be able to detect, manage and resolve major incidents affecting the payment services you provide.
You will also need to notify us of any major incidents.
- European Banking Authority (EBA) Guidelines on Authorisation and Registration - these guidelines outline the exact information which must be provided.
- Technical standards on strong customer authentication and common and secure methods of communication.
- You can also refer to security, risk management, and business continuity industry standards and guidelines that are available for examples of best practice. For example, Cyber Essentials provides guidance on how organisations can protect themselves against cyber threats.