Security requirements for providers of account information or payment initiation services seeking authorisation or registration under Payment Services Directive 2 (PSD2)

PSD2 newly regulates certain payment services and makes requirements on them relating to the security of those services. See below for more on the payment services affected and what firms need to do to apply for authorisation or registration.

PSD2 aims to increase protections for customers and make payment services safer and more resilient. It does this by bringing account information and payment initiation services into regulation and introducing security requirements that are relevant for all payment services providers.

Firms providing payment initiation services will need to apply for authorisation while firms providing account information services only will need to apply registration.

New information required at authorisation and registration

As part of the authorisation and registration process firms will need to demonstrate that they have implemented effective security systems and controls, access to sensitive payment data, incident management and business continuity.

Firms need to:

  • provide security policies and procedures, including a risk assessment in relation to your payment services, and describe security controls and mitigation measures designed to protect payment service users
  • demonstrate that you have effective processes to monitor and handle incidents and security-related customer complaints
  • explain how you will deal with significant continuity disruptions, such as the failure of key systems, the loss of key data, or lack of access to premises
  • demonstrate that you have an effective process to file, monitor, track, and restrict access to sensitive payment data such as data classification, access management, and monitoring tools

Firms are responsible for the activities of their external partners and so will also be asked about outsourcing arrangements as part of the authorisation and registration process.

Information required following authorisation or registration

From 13 January 2018 payment services providers must identify, classify and manage risks affecting the payment services they provide.

Firms providing payment services must:

  • establish an effective risk management framework to identify and classify risks affecting the services they provide
  • be able to identify and implement steps required to manage these risks
  • ensure that their risk management framework can identify new and emerging risks

Firms should be able to detect, manage and resolve major incidents affecting the payment services they provide. Payment services providers will also be required to notify the FCA of major incidents.

More information

For the latest information sign up to the PSD2 mailing list or contact us.