European Banking Authority Consults on Guidelines on Security Measures for Operational and Security Risks under the Revised Payment Services Directive

Shearman & Sterling LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Shearman & Sterling LLP

The European Banking Authority has launched a consultation on draft Guidelines on security measures for operational and security risks under the revised Payment Services Directive (known as PSD2). PSD2, which will apply from January 13, 2018, requires Payment Service Providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks, relating to the payment services they provide. The framework must include effective incident management procedures, including for the detection and classification of major operational and security incidents. A PSP is required to report to its national regulator annually, providing an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures implemented in response to those risks. The draft Guidelines aim to define those requirements and will apply to PSPs and national regulators responsible for monitoring the implementation of the requirements by PSPs.

In addition, the draft Guidelines cover the governance of the operational and security risk management framework, risk management and control models, outsourcing, the identification, classification and risk assessment of functions, processes and assets, as well as the protection of the integrity of data, systems and confidentiality, physical security and asset control. The draft Guidelines also propose requirements in relation to the monitoring, detection and reporting of security incidents and risks, business continuity management, scenario-based continuity plans, incident management and crisis communication, the testing of security measures, situational awareness and continuous learning and the management of the relationship between PSPs and PSUs.

The draft Guidelines should be read in conjunction with the final draft Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication which the EBA submitted to the European Commission on February 23, 2017 as well as the draft Guidelines on Major Incidents Reporting, which the EBA recently consulted on. The consultation on these draft Guidelines runs until August 7, 2017.

View the consultation paper.

View the RTS on Strong Customer Authentication.

View the draft Guidelines on Major Incidents Reporting.

Written by:

Shearman & Sterling LLP
Shearman & Sterling LLP
Contact
more
less

Shearman & Sterling LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide