What is the Purpose of REP018 for Payment Service Providers?
REP018 is a mandatory reporting requirement for all UK-authorised Payment Service Providers (PSPs). This regulation, enforced by the Financial Conduct Authority (FCA), mandates that PSPs conduct and submit an annual operational and security risk assessment. This adherence aligns with the European Banking Authority’s (EBA) guidelines on ICT and security risk management, following the Payment Services Directive 2 (PSD2) 2018.
What Does REP018 Entail for PSPs?
PSPs are required to provide the FCA with a detailed, annually updated report assessing the operational and security risks associated with their payment services. This report should outline the effectiveness of the implemented mitigation measures and control mechanisms. Notably, if significant changes occur in the PSP’s technical systems, or at the regulator’s discretion, more frequent reporting may be necessary, though not exceeding a quarterly basis.
What are the Core Components of the REP018 Report?
The REP018 report format includes 10 key questions that cover:
- Evaluation of identified risks and the effectiveness of the mitigation measures;
- Issues highlighted in the most recent audits and the actions taken in response;
- Security-related customer complaints; and
- Utilisation of the ‘corporate payment exemption’ under SCA-RTS Article 17.
What Additional Documents Should Accompany the REP018 Submission?
Attached to the report should be:
- An assessment of the operational and security risks related to the PSP’s payment services
- An evaluation of the adequacy of mitigation measures and control mechanisms
The assessments should meet the standards set in the EBA Guidelines as of December 12, 2017.
How Does a PSP Qualify for the Article 17 Exemption Under RTS-SCA?
PSPs desiring to use the corporate exemption from Strong Customer Authentication (SCA) under RTS-SCA must indicate this on their REP018 report and provide evidence that their security measures are at least equivalent to those mandated by Article 17 of RTS-SCA. Approval of this exemption requires submission of the REP018 at least three months prior to the intended use of the exemption.
What are the Audit Requirements Associated with REP018?
PSPs must conduct regular IT audits as part of their compliance. These audits should be executed by individuals with expertise in IT and cybersecurity, relevant to payment services, and can be either internally by operationally independent staff or by external auditors. A structured audit plan detailing scheduled audits and other control tests, like penetration testing, is essential.
How Can Complyport Assist with REP018 Compliance?
Complyport offers expert and relevant assistance in preparing and refining operational and security risk assessments and IT audits for PSPs. Our method not only ensures regulatory compliance but also enhances the operational and risk management frameworks of our clients. For personalised guidance and support, contact Complyport today.
