PSD2 newly regulates certain payment services and makes requirements on them relating to the security of those services. See below for more on the payment services affected and what firms need to do to apply for authorisation or registration.
PSD2 aims to increase protections for customers and make payment services safer and more resilient. It does this by bringing account information and payment initiation services into regulation and introducing security requirements that are relevant for all payment services providers.
Firms providing payment initiation services will need to apply for authorisation while firms providing account information services only will need to apply registration.
New information required at authorisation and registration
As part of the authorisation and registration process firms will need to demonstrate that they have implemented effective security systems and controls, access to sensitive payment data, incident management and business continuity.
Firms need to:
- provide security policies and procedures, including a risk assessment in relation to your payment services, and describe security controls and mitigation measures designed to protect payment service users
- demonstrate that you have effective processes to monitor and handle incidents and security-related customer complaints
- explain how you will deal with significant continuity disruptions, such as the failure of key systems, the loss of key data, or lack of access to premises
- demonstrate that you have an effective process to file, monitor, track, and restrict access to sensitive payment data such as data classification, access management, and monitoring tools
Firms are responsible for the activities of their external partners and so will also be asked about outsourcing arrangements as part of the authorisation and registration process.
Information required following authorisation or registration
From 13 January 2018 payment services providers must identify, classify and manage risks affecting the payment services they provide.
Firms providing payment services must:
- establish an effective risk management framework to identify and classify risks affecting the services they provide
- be able to identify and implement steps required to manage these risks
- ensure that their risk management framework can identify new and emerging risks
Firms should be able to detect, manage and resolve major incidents affecting the payment services they provide. Payment services providers will also be required to notify the FCA of major incidents.
- European Banking Authority (EBA) Guidelines on Authorisation and Registration - these guidelines outline the exact information which must be provided.
- Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 - the EBA has finalised detailed requirements for secure customer authentication and common and secure standards for communications, which relate to providers of account information services and payment initiation services once approved by the European Commission and the European Parliament.
- Firms can also refer to security, risk management, and business continuity industry standards and guidelines that are available for examples of best practice. For example Cyber Essentials provides guidance on how organisations can protect themselves against cyber threats.