Question ID
2018_4231
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
95
Paragraph
2
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17
Article/Paragraph
3 / 4
Type of submitter
Credit institution
Subject matter
Responsibility for comprehensive assessment according to Article 95(2) PSD2
Question

It is not clear, whether comprehensive assessment of the operational and security risks relating to the payment services has to be carried out by the payment service providers (PSP), or it can be delegated / outsourced to a third entity (e.g. external audit firm). In case this is a responsibility of the PSP, it is not clear, whether it has to be carried by the independent internal audit department, or it has to be carried out by the department responsible for the risk function in the PSP.

Background on the question

From the PSD2 Directive is not clear whether PSP has to carry out “Comprehensive assessment of the operational and security risks relating to the payment services“ by itself, or this can be delegated to third party (audit firm, independent valuator / consultancy firm).

In PSD2, there is only responsibility for providing mentioned (and we do not argue with that) - PSP will be responsible for providing this to authorities, but it is not clear, whether the performance of this assessment / report can be outsourced to relevant third party.

We do not have internal capacities to carry out “Comprehensive assessment of the operational and security risks relating to the payment services“, and we are seeking for possibilities to outsource this, but it is not clear, whether we can.

Submission date
Final publishing date
Final answer

The EBA Guidelines on security measures for operational and security risks of payments services under PSD2 (EBA/GL/2017/17) do not list the operational functions that can be outsourced. Instead, they state the following principles to follow when outsourcing: (i) the need to ensure the effectiveness of the security measures set for the referred outsourced operational functions and (ii) the need to ensure that measures and performance targets are built into contracts and service-level agreements with the providers to whom they have outsourced such functions (Guidelines 2.7 and 2.8 of these EBA Guidelines). Furthermore, payment service providers (PSPs) should have regard to the general principles of outsourcing as specified under PSD2 and/or CRD IV (depending on the type of license), in particular, that PSPs retain full responsibility when outsourcing and therefore should comply with all the regulatory requirements.

Accordingly, the risk assessment referred to in Article 95 of PSD2 could be outsourced, provided such outsourcing complies with the afore-mentioned principles and provisions in PSD2 and in the Guidelines.

Finally, it should be noted that outsourcing of the risk assessment should also be done in accordance with the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02). The  Guidelines on outsourcing arrangements are addressed to all PSPs and are in line and should be read in conjunction with the requirements of PSD2 and the Guidelines on security measures for operational and security risks of payments services.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.
Note to Q&A

The topic of this Q&A was changed from “Security measures for operational and security risks” to “Strong customer authentication and common and secure communication (incl. access)” on 15.12.2022.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.