REP018 Operational and Security risk

The New Operational and Security Risk Assessments Guidelines by FCA: What Does It Mean To Payment and E-Money Services?

In June 2018, FCA published its proposal Approach on how payment service providers (PSPs) should provide operational and security risk assessment to FCA annually under SUP 16.13.15. The FCA published this policy after EBA had already prepared its final guidelines December 12th last year. Since then the FCA has had the opportunity to publish the final guidelines, but they finally did it June this year. What does this mean for payment service providers?

The background

Under the FCA, all PSPs must have an effective operational and security management framework that relates to the services they offer. Since the EBA published its final guidelines, it has been up to FCA to publish it, but now that it has implemented it, the guidelines are now officially introduced into national law. Even if the consultation does not tell us much, it introduces PSPs to a new and essential requirement. All PSPs need to submit the risk assessment reports of their operational and security risk every year. It must be related to the services they provide.

The published guideline on FCA also acts as a form of direction that all PSPs must follow. All PSPs including payment institutions, credit institutions, registered account service provides and e-money institutions, whether registered or authorized must abide by the guidelines. Each PSP must submit the latest risk assessment, details of the number of security-related complaints from the customer, the audit and their findings.

The new guidelines are also designed to highlight key areas which FCA has identified as potential for operational and security concerns. Potential concerns include the way payment accounts are assessed for:

• Account Information Services (AIS) purposes
• Payment Initiation Services (PIS purposes
• Expectations where PSPs use third parties

These changes are made available in the FCA’s supervision handbook. The FCA is also mandating additional proposals such as:

• The operational and security risk management by the PSPs should be proportionate to the nature, size, scope, riskiness, and complexity of its payment services and operational models it offers.
• PSPS should also consider how agents introduced the security or operational risk. It is the PSP responsibility to ensure that every identified risk are mitigated.
• The PSP operational and security risk framework also needs to set out mitigation measures when outsourcing relevant payment services they offer. The guidelines apply whether they outsource the services within the PSP’s organization or other organizations. Even when you outsource to parties that fall outside the FCA’s regulations, they still have full responsibility to discharge their obligations under the FCA’s regulatory perimeter.
• Any PSP firm that wants to outsource these obligations to a third party IT Company or the cloud should consult and seek the assistance of an FCA’s specialist.

It is not a must for FCA’s specialist to take the risk assessment task for your PSP. Your internal audit team can undertake the assessment task or hire a professional company that can help you with the process. The FCA has made everything clear for everyone and expects PSPs to comply with the published guidelines