Security requirements for providers of account information or payment initiation services seeking authorisation or registration

Under the Payment Service Regulations 2017 (PSRs), providers of payment services must apply certain security requirements. Find out what services are affected and what you need to do to apply for authorisation or registration.

The PSRs aim to increase protection for customers and make payment services safer and more resilient. They do this by regulating account information and payment initiation services and introducing security requirements that all payment service providers (PSPs) must follow.

If you provide payment initiation services, you need to apply for authorisation. If you only provide account information services, you can apply for registration.

Information you must provide for authorisation and registration

As part of the authorisation and registration process, you will need to demonstrate that you have implemented effective security systems and controls, access to sensitive payment data, incident management and business continuity.

You need to:

  • provide security policies and procedures, including a risk assessment in relation to your payment services, and describe security controls and mitigation measures designed to protect payment service users
  • demonstrate that you have effective processes to monitor and handle incidents and security-related customer complaints
  • explain how you will deal with significant continuity disruptions, such as the failure of key systems, the loss of key data, or lack of access to premises
  • demonstrate that you have an effective process to file, monitor, track, and restrict access to sensitive payment data such as data classification, access management, and monitoring tools

You are responsible for the activities of your external partners. So, you will also be asked about outsourcing arrangements as part of the authorisation and registration process.

Information you must provide after authorisation or registration

If you’re a PSP, you must identify, classify and manage risks affecting the payment services you provide.

You must:

  • establish an effective risk management framework to identify and classify risks affecting the services they provide
  • be able to identify and implement steps required to manage these risks
  • ensure that your risk management framework can identify new and emerging risks

You should be able to detect, manage and resolve major incidents affecting the payment services you provide. 

You will also need to notify us of any major incidents.

More information

For the latest information sign up to the PSRs mailing list or contact us.