Around this time last year we published a blog on REP018, discussing the reporting obligation and who had to submit. Just to recap, REP018 is the name the FCA has given to the reporting return for the operational and security risk assessment that all payment service providers (PSPs) must submit to their regulator at least once a year, or more often as the regulator directs. Most other regulators, including the Central Bank of Ireland, simply refer to the return as the ‘operational and security risk assessment.’
Discussing reporting obligations with our payments clients recently has revealed a lack of awareness of REP018, a report driven by the requirements of the second payment services directive (PSD2). PSD2 included Article 95(2), which requires payment services providers (PSPs) to report to the competent authority with an operational and security risk assessment. So, what is REP018 and why has it caught so many by surprise?
At what point does empowering individuals to be ‘masters of their own personal data destiny’ encroach on a payment service provider's legal responsibility to prevent fraud, safeguard its venture and limit criminal activity?
GDPR Fines! GDPR Fines! GDPR Fines! The war cry of solicitors and tech consultants across Europe for the past year has become so loud that it’s almost impossible to distinguish it from all the other noise on social media and in the news.
Much of our time is, and seems always to have been, spent trying to interpret exactly what the regulations or, more importantly, the Regulator is expecting. A leading question asked by many compliance officers is, 'what do they expect of my company?'. This is often where the compliance consultant comes in.