PSD2 implementation: UK FCA amends supervision guide to cater for new security measures

banner image

Financial data is one of the most attractive data sets for hackers, so financial institutions are at a high risk of being attacked. The consequences of an attack can be severe. Cyber attacks are on a steady rise in an increasingly interconnected world with attackers becoming ever more sophisticated. Regulators are making cybersecurity a priority and urging firms to become more resilient and to report security breaches. The EU’s revised Payment Services Directive (PSD2) is no exception and contains requirements to manage operational and security risks.

In this context, the UK’s Financial Conduct Authority (FCA) is updating its Approach document on the regulation of payments and the Supervision manual (SUP) in its rulebook.  Its latest consultation (CP18/6 – chapter 5) arises from publication of the EBA’s Guidelines on security measures for operational and security risks in December, together with the need to align its Approach document with the UK Payment Systems and Services and Electronic Money (Miscellaneous Amendments) Regulations 2017 (the “PSSRs”). These amended the Payment Services Regulations 2017 which transposed PSD2 into UK law.

Background

PSD2 requires payment services providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks for payment services. This was transposed into UK law by regulation 98 of the 2017 Regulations. The FCA, which had already published its Approach document for the supervision of payments services last autumn (click here) has said it will comply with the EBA Guidelines (which have applied since 13 January 2018). According to the FCA, the Approach document and the Guidelines are to be read together.

Approach Document

The FCA proposes to add a new chapter 18 to its Approach Document to reflect the Guidelines. The chapter will highlight areas where the FCA identifies potential operational and security risks, in particular, over how payment accounts are accessed by account information service providers (AISPs) and payment initiation  service providers (PISPs). This is an area where banks are especially concerned about security breaches. Another aspect of the proposal concerns the UK regulator’s expectations where PSPs use third parties. In this regard, the use of outsourcing does not alter the need for PSPs to show how they have identified and addressed relevant risks.

Other consequential amendments to the Approach Document to reflect the changes made by the PSSRs to the principal regulations are:

  • Chapter 5 – appointment of agents and use of distributors: the amendments reflect the fact that registered AISPs may appoint agents. As is a normal principle of outsourcing, regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities;
  • Chapter 10 – safeguarding: the amendments reflect the fact that the proceeds of an insurance policy or guarantee held as a safeguarding method may be paid into a safeguarding account under the segregation method.

New Reporting Obligations

Additionally, the FCA proposes to impose reporting requirements on firms as provided for by regulation 98 of the 2017 regulations. This will require amendments to SUP to oblige PSPs to comply with the Guidelines to develop and maintain an operational and security risk management framework and to specify the form, content and frequency of reporting. As EU Regulation 1093/2010 already requires all PSPs “to make every effort” to comply with EBA Guidelines, the FCA explains that their proposal is to “clarify” the expectation that PSPs must comply and presumably facilitate enforcement.

The FCA’s specified reporting form requires the submission of two documents in one attachment: (i) a risk assessment, and (ii) an assessment of the adequacy of mitigation measures and control mechanisms. The risk assessment should include all the requirements of the EBA Guidelines (e.g. a list of functions, processes and assets supporting the payment services provided and classified by criticality etc.).

As for the timing of reports, PSPs have some discretion but are to submit their reports to the FCA at least once per calendar year, when they have been performed. PSPs can report through the regulator’s electronic reporting service, Gabriel, although electronic money issuers (not having access to Gabriel) will do so by email.

The consultation is open for six weeks until mid April 2018.

Sarah Williams is an associate in Baker McKenzie's Financial Services Group in London specializing in non-contentious financial services and compliance matters.
Richard Powell is a professional support lawyer within Baker McKenzie's global financial services group where he is responsible for supporting the group's legal and technical knowledge.