European Banking Authority Issues Guidelines for Assessing and Managing Security and Operational Risks in Payment Services
12/12/2017The European Banking Authority has published finalized guidelines to assist payment services providers to conduct appropriate risk assessment and risk management of operational and security risks. The finalized guidelines contain some changes from the draft guidelines on which the EBA launched a consultation in May 2017.
The revised Payment Services Directive, which will take effect from January 13, 2018, will require EU payment service providers to establish a risk management framework comprising appropriate mitigation measures and control mechanisms to manage the operational and security risks that arise from the payment services they provide. PSPs must also provide their national regulator annually (or more frequently as required) with an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures implemented in response to those risks.
The first guideline sets out a general principle of proportionality, which takes into account the great variety of business models and risks implied by payment services provided by very differently structured and regulated PSPs. A further eight guidelines cover:
(i) Governance, including the content, focus and sign-off of the risk management framework, the models to be used for risk management and control and considerations for outsourcing;
(ii) Risk assessment, including identifying all relevant business functions, key roles and supporting processes and information assets and then classifying and assessing the relevant operational and security risks attaching to them;
(iii) Protection, requiring PSPs to establish and implement preventive security measures, including physical security measures and access control, against identified risks to ensure the integrity and confidentiality of data and systems;
(iv) Detection, requiring establishment of processes and capabilities for continuous monitoring of functions, processes and assets for anomalous activity, information leakage, malicious code and other threats and for the reporting of operational or security incidents;
(v) Business continuity, requiring PSPs to conduct appropriate analysis of potential business disruptions and put in place response and recovery plans and crisis communication measures;
(vi) Testing, requiring PSPs to establish a testing framework to validate the robustness and effectiveness of security measures;
(vii) Situational awareness, requiring PSPs to develop the capability to stay abreast of developing threats and provide appropriate training; and
(viii) Payment service user relationship management, including processes to ensure payment services users are provided with assistance, guidance and updated information and alerts on security threats.
The guidelines will apply to all PSPs from January 13, 2018.
View the guidelines.