Discussing reporting obligations with our payments clients recently has revealed a lack of awareness of REP018, a report driven by the requirements of the second payment services directive (PSD2). PSD2 included Article 95(2), which requires payment services providers (PSPs) to report to the competent authority with an operational and security risk assessment. So, what is REP018 and why has it caught so many by surprise?
The rationale and the history
There has always been a requirement to assess the risks to your business and show the FCA that you are alive to the weaknesses in your business, having taken steps to manage, control and strengthen those weaknesses.
However, PSD2 ups the ante, and quite reasonably so. Globally, we have come to realise our vulnerability to attack. A recent example: the data breach hack into British Airways (BA) where details of thousands of customers who booked flights on the airline’s website had their information, worth potentially millions to criminals, stolen. BA has suffered damage to its reputation and has voluntarily paid out compensation but there may yet be further fallout if the Information Commissioner’s Office decides to impose a fine or even ban them from processing personal data (effectively halting their operations). At an event I attended recently, it was said that for every £10 spent defending against attacks it only costs 10p to attack. That’s a major disadvantage in protecting your valued assets.
And so, in PSD2, the European Banking Authority (EBA) was commissioned to produce guidelines on security measures for operational and security risks. After consultation, they published their final guidelines last December.
Since the EBA guidelines were still outstanding when the approach document and reporting returns were first published, there was no further information provided until the FCA consulted in March. The finalised REP018 was published in July along with accompanying guidance in chapter 13 in the FCA’s approach document.
What is REP018?
REP018 is the operational and security risk report that all PSPs must complete, that means all credit institutions, payment institutions, e-money institutions (whether authorised or registered) and registered account information service providers. It must be completed at least annually however it can be submitted as frequently as every quarter. The report must be submitted on GABRIEL, unless you are an electronic money institution in which case you should email the excel sheet to the FCA. The report requires each PSP to provide the latest risk assessment, their analysis of the findings, details of the latest audit and the number of security related customer complaints. So, what is involved in producing and maintaining a risk assessment, that is suitable for use and reporting to the FCA?
Undertaking the risk assessment
Identifying your organisation’s weaknesses begins with establishing the risk assessment methodology; you have to decide whether you want a qualitative or quantitative risk assessment. In my view, a quantitative approach is ideal for time- and budget-bound single-purpose project because the costs of the risks materialising can be calculated. Conversely, the costs are very difficult to quantify for enterprise-wide assessments that are conducted on an ongoing basis and the qualitative approach is more suitable.
Once you have identified a risk assessment methodology you can start the first step of the risk assessment, which is identifying the risks. Arguably, this is the most important part of this process since an undiscovered risk is, by default, an accepted risk without mitigation. The operational aspect means everything – HR, finance, IT, customer services, payments team, even catering (if you have such a department!).
After identifying the risks, you must assess the impact the risk would have on your business if it crystallised, and the likelihood of it happening. A risk matrix will allow you to map and accurately assess the identified risks by considering likelihood against impact. In my experience, companies are usually aware of only around 30% of their risks. You will likely find this exercise reveals more about your business than you were previously aware; after you're finished, you’ll start to appreciate the effort made.
It’s finally time to take some action and decide what to do with these risks; you can approach this either on a cyclical basis or a risk basis. We advise a risk basis as not all risks are created equal and resources are not infinite – therefore, focus on the most important ones. There are four options for dealing with an identified risk:
- Tolerate (accept) - it is within your organisation's level of risk acceptance.
- Terminate (reject) - cease the activity or change the process that is causing the risk.
- Transfer (usually through insurance) - think cyber insurance.
- Treat (control) - apply a control or risk mitigation process to reduce the risk.
After re-assessing the risks, an action plan must be formulated. Your action plan is carrying out the mitigations you identified earlier to address each weakness. For instance, set a date by which the new policy is to be created and enforced, with follow-up dates for staff training and confirmation that staff have read and agreed to abide by the policy.
We have identified our risks, prioritised them, identified a treatment for each risk, that’s it. One more process complete to be placed on a shelf and dusted down sometime later…
A risk assessment is a live document and should be a continuous process, the key to successful enterprise risk management is the response to this plan. Risks that are acceptable now may become unacceptable in the future. A method of determining whether the risk assessment must be changed is the testing. The testing of your controls can be conducted either by going through a hypothetical situation, walkthrough scenario or a live simulation and documenting any lessons learned to improve upon your controls.
Clearly, risk assessments can be undertaken by an internal team, but many find that deploying our expertise to be invaluable because we bring:
- independence in calibrating the risks across the business;
- a breadth of experience in benchmarking against others in the industry; and
- a depth of knowledge that makes us efficient in undertaking the task.
If you require any advice, please do not hesitate to contact me, or any of the team at fscom.