Security requirements for providers of account information or payment initiation services seeking authorisation or registration

Under the Payment Service Regulations 2017 (PSRs), providers of payment services must apply certain security requirements. Read more about what you need to do to apply for authorisation or registration.

Information you must provide for authorisation and registration

As part of the authorisation and registration process, you will need to demonstrate that you have implemented effective security systems and controls, access to sensitive payment data, incident management and business continuity.

You need to:

provide security policies and procedures, including a risk assessment in relation to your payment services, and describe security controls and mitigation measures designed to protect payment service users
demonstrate that you have effective processes to monitor and handle incidents and security-related customer complaints
explain how you will deal with significant continuity disruptions, such as the failure of key systems, the loss of key data, or lack of access to premises
demonstrate that you have an effective process to file, monitor, track, and restrict access to sensitive payment data such as data classification, access management, and monitoring tools

You are responsible for the activities of your external partners. So, you will also be asked about outsourcing arrangements as part of the authorisation and registration process.

Information you must provide after authorisation or registration

If you’re a PSP, you must identify, classify and manage risks affecting the payment services you provide.

You must:

establish an effective risk management framework to identify and classify risks affecting the services they provide
be able to identify and implement steps required to manage these risks
ensure that your risk management framework can identify new and emerging risks

You should be able to detect, manage and resolve major incidents affecting the payment services you provide.

You will also need to notify us of any major incidents.

More information

European Banking Authority (EBA) Guidelines on Authorisation and Registration - these guidelines outline the exact information which must be provided.
Technical standards on strong customer authentication and common and secure methods of communication.
You can also refer to security, risk management, and business continuity industry standards and guidelines that are available for examples of best practice. For example, Cyber Essentials provides guidance on how organisations can protect themselves against cyber threats.

For the latest information sign up to the PSRs mailing list or contact us.

Page updates

10/02/2023 : Editorial amendment page update as part of the website refresh

Security requirements for providers of account information or payment initiation services seeking authorisation or registration

On this page

Information you must provide for authorisation and registration

Information you must provide after authorisation or registration

Page updates

Was this page helpful?

On this page

Account information services (AIS) and payment initiation services (PIS)

Contact us

What we do

How we regulate

How we operate

Who we are

Join us

Firms overview

Regulated firms

Tasks for firms

Primary markets

Markets policy

Regulated markets

Market abuse

Short selling

Transaction reporting

Our Consumer section

Your rights

Complaints

Scams

Report a firm

Sign up to receive daily alerts on the warnings we issue

Media centre

On this page

Information you must provide for authorisation and registration

Information you must provide after authorisation or registration

Page updates

Was this page helpful?

On this page