REP018 – Your Key Questions Answered!

In this blog,fscom’s ICT and security expert, Will Finn, takes the time to answer all your key questions in relation to REP018 – the operational and security risk assessment that all payment service providers (PSPs) authorised in the UK must submit to the regulator at least once a year.

What is REP018?

REP018 is the name given to the reporting return of the operational and security risk assessment that all payment service providers (“PSPs”) authorised in the UK must submit to the UK regulator, the Financial Conduct Authority (“FCA”).

The UK has adopted the European Banking Authority’s (EBA) regulations under the Payment Services Directive 2 (PSD2) and post-Brexit the FCA continues to comply with the EBA Guidelines on ICT and security risk management. The assessments submitted to the FCA in the REP018 should comply with the requirements in the EBA guidelines.  

PSPs must provide to the FCA at least once a year ‘an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks’.  The report should be submitted on data collection platform RegData.

If there has been a material change in the technical systems of the reporting PSP they may report more frequently or can be directed to by the regulator. The FCA has stated that the frequency of reporting will not be more than quarterly.

What are the specific requirements of the operational and risk assessment report?

The standard report format has 10 questions to be answered. These relate to:

  • the assessment of risks and mitigation measures and any deficiencies identified in mitigation measures;
  • issues identified in most recent audit and action taken to mitigate issues
  • security related customer complaints;
  • whether or not the PSP is utilising the ‘corporate payment exemption’ (SCA-RTS Article 17 exemption).

The following assessments and documents should be attached to the form:

  1. the assessment on the operational and security risks related to the payment services the firm provides;
  2. the assessment of the adequacy of the mitigation measures and control mechanisms implemented in response to those risks;

The FCA refers PSPs to the EBA Guidelines for operational and security risks of payment services as issued at 12 December 2017 for the requirements which should be met in these assessments. These include:

  • a list of business functions, processes and information assets supporting payment services provided and classified by their criticality;
  • a risk assessment of functions, processes and assets against all known threats and vulnerabilities;
  • a description of security measures to mitigate security and operational risks identified as a result of the above assessment; and
  • conclusions of the results of the risk assessment and summary of actions required as a result of this assessment. 


What if my firm wants to avail of the Article 17 exemption from the Regulatory Technical Standards for Strong Customer Authentication (“RTS-SCA”)?

There is a question on the report that asks if you wish to avail of the corporate exemption from SCA as set out in the ‘regulatory technical standards for strong customer authentication and common and secure open standards of communication’ (“RTS-SCA”). This is asked because PSPs that wish to avail of the corporate exemption must provide evidence that their security measures are at least as equivalent to those provided for by the Article 17 of the RTS-SCA.  

You are still expected to submit a risk assessment that supports your notification to avail of the exemption. You will need to show the regulator that your alternative security protocols are equal to or better than RTS-SCA.

If you wish to avail of this exemption, you must submit the required information in the REP018 at least 3 months before you intend to use the exemption. The FCA will assess your processes and protocols using the information submitted in the report.  

What is expected from the audit requirement?

The audit obligation remains, and firms are still expected to perform ‘periodic’ IT audits.

Firms are expected to maintain a formalised audit plan that charts out the schedules for audits throughout the year as well as other controls monitoring and testing mechanisms (such as penetration tests and vulnerability scans).

It is important that the audit is performed by a professional with expertise in both IT and cyber security and payment services. This could be an internal individual who is operationally independent or an external auditor. 

How fscom can help

Our team of experts have extensive experience in helping PSPs with their operational and security risk assessment and IT audits. Through this process we have established a tried and tested methodology which meets the expectations of the regulator, while adding value to the business’ operations and risk management framework.

If you would like to discuss your specific requirements, please do not hesitate to get in touch with fscom today.


This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate. 

Related Posts