The European Banking Authority (EBA) launched today a consultation on its draft Guidelines on security measures for operational and security risks under the revised Payment Services Directive (PSD2). The Guidelines have been developed in close cooperation with the European Central Bank (ECB), and are in support of the objectives of PSD2, such as strengthening the integrated payments market in the EU, mitigating the increased security risks arising from electronic payments, and promoting equal conditions for competition. The consultation runs until 7 August 2017.
PSD2 requires payment service providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks arising from the payment services they provide, and has mandated the EBA to specify the details of these requirements.
In particular, these draft Guidelines cover the governance of the operational and security risk management framework, the risk management and control models, outsourcing, the identification, classification and risk assessment of functions, processes and assets, as well as the protection of the integrity of data, systems and confidentiality, physical security and asset control.
In addition, the draft Guidelines propose requirements in relation to the monitoring, detection and reporting of security incidents and risks, business continuity management, scenario-based continuity plans, incident management and crisis communication, the testing of security measures, and situational awareness and continuous learning. Finally, in order to ensure that the security measures implemented by the PSPs are well communicated to payment service users (PSUs) the Guidelines also cover the management of the relationship with PSUs.
Please note that the deadline for the submission of comments is 7 August 2017 and that no attachments can be submitted. A public hearing will then take place at the EBA premises on 20 June 2017 from 13.00 to 16.00 UK time.
Legal basis and background
These Guidelines have been drafted in accordance with Article 95(3) of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which mandates the EBA, in close cooperation with the ECB, to issue Guidelines with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant. The Guidelines are addressed to both competent authorities and PSPs.
The Guidelines are one of the 11 mandates conferred onto the EBA in PSD2, which entered into force on 12 January 2016 and which will apply from 13 January 2018.
The EBA statement can be found here.