In order to become re-authorised under PSD 2, firms had to satisfy the FCA that they had an operational and security risk management framework in place and that this framework was adequate as defined by European Banking Authority (EBA) guidelines.
In relation to IT security risk, this involved preparing a detailed IT security policy document that covered:
All the above is theoretical and is of little value if it is not being carried out in practice. In order to enable the FCA to assess whether the theory is being put into practice a report, REP018, is required to be completed by firms.
The reporting can be divided in to two parts: IT security risk and operational risk.
IT security risk
In terms of IT security risk and the related mitigation measures, an independent IT audit is required. The document EBA guidelines on security measures for operational and security risks under PSD2 Section 7.4 (6), testing of security measures, states that:
“the testing framework should ensure that tests are carried out by independent tester who have sufficient knowledge, skills and expertise in testing security measures of payment services and is not involved in the development of the security measures for the corresponding payment services or systems that are to be tested…”
You are required to detail within the report a summary of the findings as well attaching the actual report itself.
In terms of an operational risk assessment. This involves a review of a firm’s non-IT risks and testing whether the mitigation measures documented in that assessment have been effective. This process may involve adding new risks and explaining the related mitigation measures and possibly removing risks that are no longer relevant. The risk review process should involve appropriately high-level people within your firm and should be discussed at board level before finalisation.
The operational risk and security risk assessment processes should be carried out at least once a year. The form REP018 is sent to authorised firms on a quarterly basis and is required to be filed with the FCA within 3 months. So, a return for the quarter ended 30 September 2018 would need to be filed by 31 December 2018.
As the requirement to carry out the operational and security risk assessments is once a year, it may that a given quarter’s return is filed on a nil basis.
PKF Littlejohn is able to help to you comply with the new PSD 2 reporting requirements. Please send me an email if you are affected by anything mentioned in this article.
Alternatively, give me a call on +44 (0)20 7516 2232