The European Banking Authority (EBA) has published its consultation document on security measures for operational and security risks under the revised Payment Services Directive (PSD2).
The WannaCry ransomware attack that swept across the globe last week revealed the destructive and indiscriminate nature of cyber threats. It attacked hospitals, telecoms networks and universities, seizing hold of important data and leaving users and systems administrators temporarily powerless. These are precisely the risks that the payments industry wants to avoid as it braces for the revised PSD2, which will come into force across the EU from 13 January 2018. As such, the EBA has published a consultation paper on security measures for operational and security risks under PSD2, setting out proposed requirements for payment services providers (PSPs) to mitigate the concomitant payment processing risks.
The consultation paper is one of the EBA’s three security mandates in PSD2, complementing the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (submitted to the European Commission for adoption 23 February 2017), and the Guidelines on Major Incidents Reporting (which recently finished its consultation).
The security measures consultation paper itself works at a fairly high level, attempting to remain technology-neutral in the wake of ever-evolving consumer financial technologies and acknowledging that PSPs will need to “adapt their measures frequently to the changing landscape”. It does however set out a number of key principles, including:
-
Good governance: Proposed Guideline 1 clarifies that PSPs should implement robust operational and security risk management frameworks, so as to foster a culture of risk monitoring and continuous learning. This includes guidance on outsourcing.
-
Risk assessment: Proposed Guideline 2 states that PSPs should identify critical business functions and prioritise and protect them. This attempts to give PSPs tools to protect themselves and ensuring the robustness of internal security measures.
-
Protection & detection: Proposed Guideline 3 requires PSPs to prepare and implement appropriate, effective controls and systems to prevent, limit and contain a potential security incident, taking a defence-in-depth approach. Proposed Guideline 4 builds an ability to detect system incidents and build strong security on the back of this.
-
Business continuity: Proposed Guideline 5 requires PSPs to respond to sever business disruption and engage crisis communications and management in the event of a security incident.
-
Testing and awareness: Proposed Guidelines 6 and 7 require that security measures are tested, and that PSPs are aware and prepared for state-of-the-art threats. Proposed Guideline 7 also emphasises the importance of information sharing, so that all PSPs can build a robust security ecosystem.
-
User engagement: Proposed Guideline 8 stipulates that users are “the most critical stakeholders in the overall process” and that users should be educated, actively engaged and be cognisant of security risks and any reporting tools to PSPs.
The EBA consultation is open until 7 August 2017. In the meantime, the UK’s Financial Conduct Authority (FCA), which this week published a statement encouraging financial services firms to develop a “security culture” and prioritise cyber-resilience, will consider the potential implications for the Handbook and its Approach Document and PSPs, heeding the guidance of the EBA to constantly monitor and respond to risks, and brace for the future.
