Brand new FCA suggestions on operational and security risk management by Payment Services Providers (PSPs)

compliance consultants london apcc compliance consulting firms in london fsma

In March 2018, the FCA released its consultation paper (CP18/6) on its proposed approach to the application of the European Banking Authority’s (EBAs) final guidelines on security measures for operational and security risks of payments services under PSD2.

The Latest Approach document, Version 2, was released 19th December 2018

Generally, the documents do not tell us much we did not already have knowledge of. Nevertheless, it does propose a new and important obligation for PSPs to report to the FCA on an annual basis, and send an updated risk evaluation of the operational and security risks pertaining to the payment services they deliver.
fca template compliance manual risk management fca handbookThe Background
Under PSD2, payment service providers are mandated to establish an effective operational and security risk management framework pertaining to the payment services they provide. The EBA published its final Guidelines on 12 December 2017. It has then been up to the FCA to carry out this requirement into national law and to propose reporting requirements.
The proposal takes the form of a direction that all PSPs are to abide by the EBA Guidelines and a new Chapter 18 in the FCA’s payment services and e-money Approach Document, alongside additions to Chapter 13 of the Approach Document. The new Chapter 18 is designed to highlight areas through which the FCA has identified the possibility for particular operational and security risk problems, including relating to the way payment accounts are accessed for the functions of account information services (AIS) and payment initiation services (PIS), and on its expectations where PSPs take advantage of third parties.
Adjustments will also be made to the FCA’s Supervision Handbook, as well as amendments to the Payment Services Regulations 2017 (PSRs 2017) and the Electronic Money Regulations 2011 (EMRs 2011).
In the additional Chapter 18, the FCA mandates the following headline points:
  • A PSP’s operational and security risk management should be proportionate to its size and the nature, scope, complexity and riskiness of its operating model and the payment services it offers.
  • Particularly, PSPs should consider how using agents introduces operational or security risks, it is the obligation of the PSP to ensure that all identified risks, incorporating those arising from or surrounding agents, are mitigated.
When outsourcing functions relevant to the payment services it supplies, the PSP’s operational and security risk framework should lay out mitigation measures linked with risks that arise from the outsourcing. These may link with the relationship between the PSP and the outsourced provider or how the PSP monitors risks relating to those activities. This applies whether the outsourcing is ‘internal’ to an entity within the PSP’s operation, or ‘external’. PSPs should note that even if parties to which services are outsourced fall outside the FCA’s regulatory perimeter, the PSP retains full responsibility for discharging their regulatory obligations. A relevant act or omission by a party to which a PSP has outsourced activities will be considered the act or omission of the PSP. PSPs will therefore need to have effective (and full) oversight over each one of their various outsourced functions and ensure the relevant systems and controls remain in place to mitigate the identified security and operational risks.
compliance consultants london compliance doctor fca handbook connectAny firms wishing to outsource obligations to the cloud or to any third-party IT services company should consult the FCA’s specialist guidance on this point.
Reporting requirements
PSPs will be required to report to the FCA at least once per calendar year, but no greater than once per quarter, via a new “REP018 Operation and Security Risk” reporting form. PSPs are otherwise free to choose the frequency of reporting, albeit noting the FCA’s expectation that PSPs will “submit their reports when they are carried out and when they are most pertinent, rather than at a point in time when the information contained in reports might be less pertinent”.
The proposed reporting form is set out in the consultation and requires the PSP to include certain details relative to the relevant reporting period, such as the amount of operational and security incidents notified to the FCA and the amount of security related customer complaints. Alongside the report, PSPs are required to submit to the FCA:
  • an updated risk assessment of the operational and security risks relating to the payment services it provides; and
  • an assessment of the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
Each supporting document must include all of the relevant requirements of the EBA Guidelines, including the following:
  • in relation to the risk assessment: a list of relevant functions, processes and assets supporting the payment services together with a risk assessment relating to the same, a description of the security measures implemented to mitigate those risks, and the conclusions of the results of the risk assessment; and
  • in relation to the assessment of adequacy of mitigation measures: a summary description of the methodology used to assess effectiveness and adequacy of the mitigation measures, together with the assessment and any conclusions on deficiencies identified as a result of the assessment and proposed corrective actions.
Further guidance on the reporting requirements will be set out in Chapter 13 of the Approach Document.
Except the details pertaining to the reporting requirements, the consultation and final revision does not add much to what we already know: the substantive law is contained within the EBA Guidelines and the proposed additions to the Approach Document and the FCA’s Supervision Handbook only complement those EBA Guidelines.
Given the increasing role of technology in the payments sector and the amplifying (and emerging) risks posed by fraud and cyber threats, the FCA has made it clear that it is expecting PSPs to have adequate systems in place to be aware of the risks relevant to the payment services they offer and to describe that they have taken into account and implemented mitigation measures addressing those risks. It is also apparent that the FCA will be focusing more closely on how firms ensure sufficient oversight of their agents and/or outsourced arrangements, involving how those arrangements are overseen. This is likely to become a key area of supervision by the FCA for PSPs which have several agents and/or outsourcing arrangements.
Lee Werrell Chartered FCSI
Compliance Doctor