In this blog, fscom’s operational and security expert, Greg James takes the time to answer all your key questions in relation to REP018 – the operational and security risk assessment that all payment service providers (PSPs) must submit to the regulator at least once a year.
What is REP018?
REP018 is the name given to the UK’s reporting return for the operational and security risk assessment that all payment service providers (“PSPs”) must submit to their regulator at least once a year. There are mechanisms in place to allow reporting as often as once a quarter as the Financial Conduct Authority (“FCA”) directs or if there has been a material change in the technical systems of the reporting PSP. The REP018 is referred to under different names throughout Europe, for example the Central Bank of Ireland (“CBI”) refer to it as the “PSD2 Operational and Security Risk Assessment Return”.
In the UK, the report is submitted on GABRIEL. Previously electronic money institutions (“EMIs”) would report via email, however EMIs now have access to GABRIEL and so should report through it.
In Ireland, the report is submitted via the Online Reporting System (“ONR”) on the CBIs website.
What are the specific requirements of the operational and risk assessment report?
The report requires each PSP to complete the following:
- a risk assessment on operational resilience and information security;
- an analysis of the risk assessment findings; and
- whether or not the PSP intends to utilise the corporate payment exemption.
There are some material differences to the report, depending on which regulator the PSP is reporting to, which should be considered. The FCA expects the full assessment attached to the report and information on the latest security audit conducted by the PSP. The CBI do not require you to attach the full report, however it is more prescriptive in its requirements within the report itself. The CBI expects a breakdown of the five top risks ‘live’ in the firm and a more in-depth summary of the assessment itself, rather than simply attaching the full assessment.
Have the expectations for completing operational and security risk assessments changed since it was first introduced?
In short, yes. When the operational and security risk assessment reports were first introduced, back in 2018, the governing EBA guidelines were different than they are today. As a result, the expectations for these reports have changed.
The operational and security risk guidelines were introduced in 2017 and previously formed the basis of the operational and security risk assessment requirements, as the name suggests. These guidelines were fairly open and due to the introduction of ‘operational risk’ effectively required firms to submit an enterprise-wide risk assessment.
This has since changed with the introduction of the ICT and security risk management guidelines, which replace the operational and security guidelines and came into effect in June 2020.
These new guidelines make a few changes, one of which is becoming more specific and technical. This means that the reporting obligation now is specific to information security and digital operational resilience rather than enterprise wide. It should be noted that firms are expected to maintain an enterprise-wide risk assessment to maintain good risk governance. However, for the purpose of reporting to the regulator, you can separate out your technical risks for the report, instead of including all enterprise risks.
What is the CIA triade?
The new ICT and security risk management guidelines introduce a new requirement for the measurement of risk - the confidentiality, integrity, and availability (“CIA”) triade.
The CIA triade is a well-documented IT concept that must be used to quantify your inherent risks. One way of doing this is as follows:
- map your important business functions;
- establish the key dependency assets; and
- apply a CIA score to that asset.
What if I am looking to avail of the corporate exemption from strong customer authentication (“SCA”)?
There is a question on the report that asks if you wish to avail of the corporate exemption from SCA as set out in the ‘regulatory technical standards for strong customer authentication and common and secure open standards of communication’ (“RTS”). This is asked because PSPs that wish to avail of the corporate exemption must provide evidence that their security measures are sufficiently robust.
You are still expected to submit a risk assessment that supports your notification to avail of the exemption. You will need to show the regulator that your alternative security protocols are equal to or better than SCA.
What is expected from the audit requirement?
The audit obligation remains, and firms are still expected to perform ‘periodic’ IT audits. The scope of an PSD2 IT audit has slightly changed due to the changes to the guidelines.
Firms are now expected to maintain a formalised audit plan that charts out the schedules for audits throughout the year as well as other testing mechanisms (such as penetration tests and vulnerability scans).
It should be noted that although the CBI do not request information on the latest security audit or an audit plan, as part of the operational and security risk assessment, PSPs in Ireland are still required to perform regular IT audits.
It is important that the audit is performed by a professional with expertise in both cyber security and payment services. This can potentially be an internal individual who is operationally independent or an external auditor.
How fscom can help
We have helped many PSPs with their operational and security risk assessment and performed their IT audits over the past few years. Through this process we have established a tried and tested methodology which meets the expectations of the regulator, while adding value to the business’ operations and risk management framework.
If you would like to discuss your specific requirements, please do not hesitate to get in touch with me today.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.