REP018 is the name the FCA has given to the reporting return for the operational and security risk assessment that all payment service providers (PSPs) must submit to their regulator at least once a year, or more often as the regulator directs. Most other regulators, including the Central Bank of Ireland, simply refer to the return as the ‘operational and security risk assessment.’
Given that many PSPs are choosing to only submit once a year, it’s now time to get ready to submit your second return, so let’s take a look at what should be done this time.
Another meeting
In all likelihood, when you were completing your first return at the end of last year, you had a risk identification meeting. You will have brought together the stakeholders from different parts of your business to identify all the risks within your enterprise. Before submitting this year, you should conduct a similar exercise again. The reason for this is that most risks are not static, they constantly change due to two major reasons:
- the external environment around risks will have changed (such as changes in legislation or political events); or
- your internal business practices have changed (such as using a new piece of software).
Therefore, it is important that, as a business, you conduct another risk identification meeting to identify any additional risks that have materialised and any that are no longer in play. During this meeting you should also explore whether the treatments that you apply to your risks are still appropriate. It may be the case that a treatment applied is not as effective as you initially believed it would be. If that is the case, an additional or new treatment must be determined.
Action plan
The risk identification meeting will have highlighted the changes that have been, or should be, made to the risk register. We next turn our attention to the action plan. Last year, you will have identified risks that require further action. Whether the risk was newly identified and required a bespoke treatment, or the treatment was found to be insufficient, you will have instigated an action plan to deal with the risk.
The action plan is one of the key areas that must change in your risk assessment. One of three events will have happened.
- You have completed the action and a suitable treatment is in place. Therefore, you now consider the risk as acceptable.
- You have completed the actions, but the treatment is not having the desired effect. Therefore, you must consider further actions.
- You have been unable to perform the action, as per the action plan. Therefore, you must reconsider the action and its timeline.
Regardless, whichever event occurs, your risk assessment must be updated to reflect the change. If the treatment is suitable then the action should be moved to a change log, to retain an audit log, and the risk should be rescored in light of the new treatment. If the treatment was not suitable then the change log should be updated and the action plan should be amended to the newly decided action. If the action has not occurred yet due to changes in priorities, then the reason should be recorded and a new deadline for the original action should be set.
The main takeaway is that there should be clear updates to the risk assessment you previously submitted. A risk assessment is not a one-time exercise, but instead an iterative process that constantly changes as your business changes.
Audit of security measures
The REP018 asks the date of the last audit and for a brief summary of the findings. Interestingly, the Irish equivalent does not ask for any audit details (regardless Irish PSPs are required to have an audit under the below mentioned references). There are two references for the audits:
- the EBA’s guidelines on the security measures for operational and security risks states that PSPs must have audits of their security measures; and
- the RTS states that PSPs should audit the security measures related to strong customer authentication and open banking.
Now is the time to consider how you can efficiently and effectively meet the requirement to audit your security measures.
First of all, in order to save your business time, money and to lessen any repetition we advise that you conduct both audits as one. There is nothing stopping you from breaking this audit into more manageable elements if you so wish, however you may find that audit fatigue quickly sets in. You should test your essential systems annually, however in regard to your non-critical systems you can apply a less rigorous schedule, every three years.
You should ensure that the audit is performed by a professional with expertise in both cyber security and payment services. This could be someone in your own organisation as long as they are operationally independent. There has to be penetration testing and vulnerability scans as part of this testing framework.
The main takeaway is similar to the previous takeaway for action plans; ensure there is a clear update to the audit section of your REP018.
A new question
You may have noticed an additional question at the bottom of the form, that was not there when you submitted your last REP018. This new question is asking whether you are availing of the corporate exemption from SCA as set out in the RTS. This is asked because PSPs that wish to avail of the corporate exemption must provide evidence that their security measures are sufficiently robust.
If you plan to avail of the corporate exemption, then you must submit your REP018 form three months’ in advance along with the supporting evidence.
If you have already notified the FCA that you are availing of the corporate exemption you are still expected to submit a risk assessment that supports your notification to avail of the exemption.
How fscom can help
We have helped many PSPs develop and maintain their risk management framework and we have given expert guidance on and audited security measures. If you would like our help, please get in touch with our experts today.