• The European Banking Authority’s operational and risk management guidelines apply to all payment service providers operating in the EU.
  • The guidelines establish required security measures, including an effective operational and security risk management framework, threat detection and prevention processes, and risk assessment and mitigation procedures.
  • IT and cybersecurity is also addressed by the guidelines, which will apply to outsourcing and cloud computing arrangements in addition to internal operations.

On 12 December 2017, the European Banking Authority (EBA) issued its Final Report on the guidelines on the security measures for operational and security risks of payment services. The guidelines have been published under Article 95(3) of the Payment Services Directive (EU) 2015/2366 (PSD2), which requires the EBA to develop guidelines for managing operational and security risks of payment services.

The guidelines build on existing EBA guidelines on the security of internet payments under PSD1 (EBA/GL/2014/12), and other operational and security risk-related standards and frameworks, adapted as necessary for the field of payment services. There are nine guidelines in total, with which all payment services providers (PSPs) are expected to comply. The first covers the so-called general principle of proportionality, with the remainder covering specific topics such as governance, risk assessment, protection, monitoring and detection, and business continuity and testing.

Guideline 1: The General Principle

The Guidelines apply to all PSPs; however they are subject to the principle of proportionality. This means that operational implementation of the Guidelines (i.e., each individual measure) may differ between PSPs depending on their size, and “the nature, scope, complexity and riskiness of the particular services that the PSP provides or intends to provide.”

The EBA has confirmed that the Guidelines apply to PSPs of all shapes and sizes—not just the dedicated providers and the banks (but only as regards their payment services) but also the account information service providers (AISPs) and payment initiation service providers (PISPs) as well, however applying the principle of proportionality means there is no one-size-fits-all approach to implementation.

Tim Wright, Partner

Guideline 2: Governance

PSPs must implement, maintain and operate an operational and security risk framework. The framework, which requires management approval and annual review, must, amongst other things, include a comprehensive security policy document, describe applicable security procedures and systems, and be fully integrated with the PSP’s overall risk management processes. The framework, which must be properly documented, should be updated for “lessons learned” during implementation and then on an on-going basis.

Outsourcing (and by implication Cloud Computing, which we discussed in our recent Client Alert on the new EBA Cloud Computing requirements), gets a specific mention here. PSPs must ensure the “effectiveness of the security measures” contained in the Guidelines when outsourcing operational functions of payment services, including IT systems. In particular:

  • appropriate and proportionate security objectives, measures and performance targets must be set out in outsourcing contracts and service level agreements must be in place between PSPs and their service providers; and
  • PSPs must “monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets.”

PSPs must take steps to identify and seek to close any gaps with the Guidelines in their existing outsourcing and cloud computing agreements, as well as bringing their contract templates and sourcing checklists up-to-date. In doing so, the overlap with GDPR should not be overlooked, including the need for data protection impact assessments required under Article 35.

Lee Rubin, Senior Associate

Guideline 3: Risk Assessment

Identification of interdependencies relating to operational and security risks is key so PSPs must identify and hold an inventory of their business functions and supporting processes mapped against the importance of each function and supporting process. PSPs must also establish an inventory of their information assets and interconnections with other systems, both internal and external, so as to enable those assets that support critical business functions and processes to be correctly managed.

PSPs must “continuously monitor threats and vulnerabilities and regularly review the risk scenarios impacting their business functions, critical processes and information assets.” In accordance with Article 95(2) of PSD2, they must carry out and make available to their competent authority a comprehensive risk assessment of the operational and security risks relating to the payment services they provide including mitigation actions and control mechanisms. These documented risk assessments must be undertaken at least annually, and in addition prior to any major change of infrastructure, process or procedures affecting the security of the payment services. PSPs must then implement any necessary changes to security measures, systems and procedures.

Guideline 4: Protection

Preventive security measures against identified operational and security risks must be established to provide an adequate level of security in accordance with the risks identified, adopting a “defence-in-depth” approach with multi-layered controls covering people, processes and technology. In this respect, PSPs’ handling of personal data must comply with applicable privacy laws. Physical security and access control measures must be in place, and data and systems integrity and confidentiality must be taken into consideration during the design and development of the payment services.

Guideline 5: Detection

PSPs must implement continuous monitoring of business functions, processes and data to detect anomalies in their payment services, including physical and logical intrusion, breaches of confidentiality, and unavailability or other compromises to information assets used in the payment services. PSPs should also establish processes for incident monitoring and reporting covering both major incidents, as required by Article 96 of PSD2, as well as non-major ones. Monitoring and detection processes should, amongst other things, detect misuse of access by “service providers or other entities.”

Guideline 6: Business Continuity

In line with best practices, PSPs must “establish sound business continuity management to maximise their ability to provide payment services on an on-going basis and to limit losses in the event of severe business disruption.” Business continuity plans should prioritise the continued operation of critical functions, processes and transactions on a risk-based approach, and should be regularly updated and tested at least annually.

Guideline 7: Testing of Security Measures

PSPs should establish testing frameworks that must validate the robustness and effectiveness of the PSP’s security measures and be updated as new threats and vulnerabilities are identified. Testing must be carried out by independent testers, and the testing of critical systems should be done at least annually, with non-critical systems tested on a risk-based approach, and at least every three years.

Processes and organisational structures should be used to identify and constantly monitor material threats to the ability to provide the payment services, including technological developments and associated security risks. Staff should receive training so that they can perform their duties and responsibilities in accordance with relevant security policies and procedures, with a focus on the reduction of human error, theft, fraud, misuse and loss. Training should be annual or more frequently if needed.

Guideline 9: Payment Service User Relationship Management

This last guideline requires PSPs to enhance the awareness of end users of the associated security risks. PSPs should provide alerts on fraudulent or malicious use (or attempted use) of end users’ accounts, and implement specific measures, where product functionality permits, to permit end users to disable specific payment functionalities (e.g., contactless payment) as well as the option to adjust pre-agreed spending limits up to the maximum agreed limit (per Article 68(1) of PSD2).

Final Remarks

PSD2 came into effect on 13 January 2018, as did the Guidelines. This means that new applicants seeking authorisation as payment or electronic money institutions must now take these Guidelines into account and must make every effort to comply with them. Existing PSPs, however, will not have to comply until implementation of the guidelines by competent authorities into their national regulatory or supervisory frameworks. The UK’s Financial Conduct Authority, for example, has said that it will conduct a consultation on the application of the guidelines in 2018. This extra time will enable PSPs to carry out a gap analysis against current measures, including outsourcing and cloud computing contracts with service providers who perform any outsourced operational functions of payment services including IT systems, to identify whether or not they are adequate, and to close any gaps identified.