UK: UK Regulator Updates Guidance On The Approach To Payment Services And Electronic Money

On July 6, 2018, the U.K. FCA updated its Approach Document on payment services and electronic money, to reflect final guidelines issued in December 2017 by the EBA on security measures for mitigating operational and security risks under the revised Payment Services Directive. The changes will affect all payment service providers. The FCA has also updated its webpage on reporting requirements for payment services providers and e-money issuers to reflect these changes. The webpage includes a link to the revised version of the FCA's REP018 (operational and security risk) reporting form.

The FCA will expect payment services providers to comply with the EBA guidelines, which cover issues such as operational and security risk management framework governance, the use of models, outsourcing and how functions, processes and assets should be identified, classified and risk-assessed. The EBA guidelines also cover security of data integrity, systems and confidentiality as well as physical security and asset control and communication of the security measures to payment service users. PSPs will be expected to report at least annually to the FCA on their operational and security risk management frameworks

The updated Approach Document shows tracked changes from the previous version. The key changes in the Approach Document are:

• revisions to Chapter 13 (reporting and notifications); and
• revisions to Chapter 18 (operational and security risks).

Other minor changes have been made, to clarify the FCA's guidance or reflect legislative change, in Chapter 3 (Authorisation and registration), Chapter 4 (Changes in circumstances of authorisation or registration), Chapter 10 (Safeguarding) and Chapter 15 (Fees).

The Updated Guidance is available at: https://www.fca.org.uk/publication/finalised-guidance/fca-approach-payment-services-electronic-money-july-2018-track-changes.pdf, the updated webpage on reporting requirements is available at: https://www.fca.org.uk/firms/reporting-requirements-payment-institutions  and details of the EBA Guidelines on PSD2 security measures for security and operational risks are available at: https://finreg.shearman.com/european-banking-authority-issues-guidelines-for-.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.