In this blog, fscom’s operational and information security expert, Will Finn, takes the time to answer all your key questions in relation to REP018 – the operational and security risk assessment that all payment service providers (PSPs) must submit to the regulator at least once a year.
What is REP018?
REP018 is the name given to the UK’s reporting return for the operational and security risk assessment that all payment service providers (“PSPs”) must submit to the UK regulator, the Financial Conduct Authority (“FCA”).
The UK has adopted the European Banking Authority’s regulations under the Payment Services Directive 2 (PSD2) but there are some differences in the adoption of these regulation in UK and the EU member jurisdictions, for example the regulator in Ireland, the Central Bank of Ireland (“CBI”), refers to the equivalent report as the “PSD2 Operational and Security Risk Assessment Return”.
PSPs must provide to the FCA and CBI at least once a year ‘an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks’. If there has been a material change in the technical systems of the reporting PSP they may report more frequently or can be directed to by the regulator. In the UK the FCA has stated that the frequency of reporting will not be more than quarterly.
In the UK, the report should be submitted on data collection platform RegData, which replaced the use of GABRIEL last year.
In Ireland, the report is submitted via the Online Reporting System (“ONR”) on the CBIs website.
What are the specific requirements of the operational and risk assessment report?
The report requires each PSP to complete the following:
- a risk assessment on operational resilience and information security;
- an analysis of the risk assessment findings; and
- whether or not the PSP is utilising the ‘corporate payment exemption’ (SCA-RTS Article 17 exemption).
There are some material differences to be considered, depending on which regulator the PSP is reporting to. In the UK, the FCA expects the full assessment attached to the report and information on the latest security audit conducted by the PSP. In Ireland, the CBI do not require you to attach the full report, however it is more prescriptive in its requirements within the report itself. The CBI expects a breakdown of the five top risks ‘live’ in the firm and a more in-depth summary of the assessment itself, rather than simply attaching the full assessment.
Have the expectations for completing operational and security risk assessments changed since it was first introduced?
In short, yes. When the operational and security risk assessment reports were first introduced, back in 2018, the governing EBA guidelines were different than they are today. As a result, the expectations for these reports have changed.
The operational and security risk guidelines were introduced in 2017 and previously formed the basis of the operational and security risk assessment requirements, as the name suggests. These guidelines were fairly open and due to the introduction of ‘operational risk’, they effectively required firms to submit an enterprise-wide risk assessment.
This changed again in June 2020, as the operational and security guidelines were replaced with the introduction of the ICT and security risk management guidelines.
This change meant firms were expected to be more specific and technical and the reporting obligation now is specific to information security and digital operational resilience rather than enterprise wide. Firms are currently expected to maintain an enterprise-wide risk assessment to maintain good risk governance. However, for the purpose of reporting to the regulator, you can separate out your technical risks for the report, instead of including all enterprise risks.
What is the CIA triad?
The ICT and security risk management guidelines include a requirement for the measurement of risk to the confidentiality, integrity, and availability of information (“CIA”) known as the CIA triad.
The CIA triad is a well-documented IT concept that must be used to quantify your inherent risks. One way of doing this is as follows:
- map your important business functions;
- establish the key dependency assets; and
- apply a CIA score to that asset.
What if I am looking to avail of the corporate exemption from strong customer authentication (“SCA”)?
There is a question on the report that asks if you wish to avail of the corporate exemption from SCA as set out in the ‘regulatory technical standards for strong customer authentication and common and secure open standards of communication’ (“SCA and RTS”). This is asked because PSPs that wish to avail of the corporate exemption must provide evidence that their security measures are at least as equivalent to those provided for by the Article 17 of the RTS.
You are still expected to submit a risk assessment that supports your notification to avail of the exemption. You will need to show the regulator that your alternative security protocols are equal to or better than SCA and RTS.
In the UK, If you wish to avail of this exemption you must submit the required information in the REP018 at least 3 months before you intend to use the exemption. The FCA will assess your processes and protocols using the information submitted in the report.
In Ireland, if you wish to avail of the exemption under Article 17, you must submit to the CBI a list of the processes / protocols for which you propose to apply the exemption along with confirmation that 4 specified criteria are met, signed at executive level.
What is expected from the audit requirement?
The audit obligation remains, and firms are still expected to perform ‘periodic’ IT audits.
Firms are expected to maintain a formalised audit plan that charts out the schedules for audits throughout the year as well as other controls monitoring and testing mechanisms (such as penetration tests and vulnerability scans).
It should be noted that although the CBI do not request information on the latest security audit or an audit plan, as part of the operational and security risk assessment, PSPs in Ireland are still required to perform regular IT audits.
It is important that the audit is performed by a professional with expertise in both cyber security and payment services. This could be an internal individual who is operationally independent or an external auditor.
How fscom can help
Our team of experts have extensive experience in helping PSPs with their operational and security risk assessment and IT audits. Through this process we have established a tried and tested methodology which meets the expectations of the regulator, while adding value to the business’ operations and risk management framework.
If you would like to discuss your specific requirements, please do not hesitate to get in touch with fscom today.
