REP018 Report

REP018 Operational and Security Risk Report

REP018 is the operational and security risk assessment and reporting return that all payment service providers (PSPs), authorised in the UK, must submit to the regulator, the Financial Conduct Authority (FCA) at least once a year. This is a mandatory annual report for all UK based PSPs.

This regulation aligns with the European Banking Authority’s (EBA) regulations and guidelines under the Payment Services Directive 2 (PSD2), which the UK continues to follow post-Brexit. The report, which should adhere to the EBA’s ICT and security risk management guidelines, is to include a thorough evaluation of operational and security risks tied to the PSPs’ payment services, as well as the effectiveness of their mitigation strategies and control mechanisms. The report must be submitted via the data collections platform RegData

PSPs experiencing significant changes in their technical systems may be required to submit reports more frequently, although never more than quarterly, as per FCA guidelines.

What are the requirements?

The FCA refers PSPs to the EBA Guidelines issued on 12 December 2017 concerning operational and security risks of payment services. These guidelines outline the criteria for these assessments, including:

• Categorising business functions, processes, and information assets supporting payment services by their criticality.
• Evaluating functions, processes, and assets against known threats and vulnerabilities.
• Detailing security measures to counteract the identified operational and security risks from the assessment.
• Summarising findings from the risk assessment and outlining necessary actions resulting from it.

The standard REP018 report format must address questions related to:

• Evaluating risks and addressing mitigation, along with any identified shortcomings in mitigation measures.
• Actions taken to mitigate concerns highlighted in the latest audit.
• Customer complaints related to security matters.
• Usage or not of the ‘corporate payment exemption’ (SCA-RTS Article 17 exemption) by the PSP.

REP018 report requires the following assessments and documents to be attached:

• a risk assessment on operational and security risks, and
• the assessment of the adequacy of the mitigation measures and control mechanisms implemented as a response to the specific risks.

Further, the FCA expects the full assessment attached to the report and information on the latest security and IT Audit conducted. In-scope firms are still obligated to conduct ‘periodic’ IT audits under an established plan that outlines yearly schedules and other control monitoring and testing measures like penetration tests and vulnerability scans. It’s crucial that these audits are executed by an expert in IT, cybersecurity, and payment services, either an operationally independent internal individual or an external auditor.