The payments sector has been subject to a number of regulatory changes over the last year and you need to keep up with these new compliance and reporting requirements.
Your business needs to stay on top of new developments and embed appropriate frameworks to meet regulatory expectations.
Propelled by innovation and advances in technology, the payments sector continues to grow rapidly and consumer expectations are higher than ever. Over the last two years regulatory and industry bodies introduced a raft of new mandatory requirements, some of which bring previously unregulated firms into scope. If this affects you, you will need to be compliant.
So, what’s changed? We’ve put together a quick cheat sheet below:
FCA Annual payments submission (REP018)
Under the UK Payment Services Regulations 2017, all payment service providers must submit an annual assessment of their operational and security risks and the associated mitigating controls. The report must contain an independent audit of all relevant IT security measures.
You must have an effective risk assessment methodology in place to identify potential issues on an ongoing basis, and implement appropriate controls to mitigate them. These should remain up to date as part of your internal audit plans, with an effective mechanism for reporting.
SWIFT has developed a set of 27 mandatory controls [ 143 kb ] to mitigate operational and security risks. They include securing the payments environment, limiting access and responding to incidents. Subject to annual attestations, SWIFT will report incidents of non-compliance to the appropriate regulator and you must maintain an effective compliance framework in line with SWIFT’s mandatory controls, viewing advisory controls as best practice.
You should also consider the security of interfacing applications, messaging and transaction processing chains, underlying infrastructure and the effectiveness of operational controls. With high profile security breaches in the past, it is important to stay up to date with SWIFT software releases and maintain good patch management practices to prevent malware.
PSD2 and Open Banking
The UK’s Financial Conduct Authority and the European Banking Association (EBA) have identified payments as a key market growth sector. In response to this, the Payment Services Regulations 2017 (UK), Open Banking (UK) requirements and Payment Services Directive (PSD2) (EU) were introduced. These regulations include compulsory operational, technology and security requirements for all banks and payment institutions. The regulations state that you must implement technologies and strong customer authentication to allow users access their accounts via regulated third party providers (TPPs). This access should allow initiation of payments, account information and confirmation of available funds.
In addition to implementing the required technology, regulatory reporting and business continuity changes, you'll nee to maintain a strong compliance framework to meet regulatory expectation. You may require specialist payments and regulatory support to maximise the opportunities they offer. But they also bring challenges around third party management, meeting General Data Protection Regulation (GDPR) and maintaining infrastructure to keep up with innovation.
All firms who are members of UK’s local payment schemes - such as Faster Payments, CHAPS, CASS, BACS or Cheques & Clearing – must submit annual attestations of compliance with IT controls.
You must determine a clear scope for any attestations and to check that evidence feeding into it is reliable. Programmes of work must demonstrate clear timeframes and verifiable outcomes. Internal audit must review and countersign all attestations.
All entities storing, processing or transmitting cardholder data and must comply with the Payment Card Industry Data Security Standard (PCI DSS). The Cardholder Data Environment (CDE) must be a segregated infrastructure with embedded security controls to protect sensitive data. The schemes retain the right to fine firms for data breaches or non-compliance.
The key challenge around PCI DSS is the technical complexity of the regulation. You must retain the right skillsets to ensure technical compliance, maintain a secure IT environment and prevent data breaches.
Anti-Money Laundering (AML), Customer and Payments Screening
Payments organisations must comply with global regulations to prevent financial crime. You must have appropriate policies, procedures and know your client processes in place, with the necessary training and technical controls to screen suspicious activities, including routing and filtering technologies and case management systems. You must be compliant with key regulations such as the Criminal Finances Act 2017, 5th Anti-Money Laundering Directive and the Counter Terrorist Financing Act, with demonstrable processes to support compliance.
So what do you need to watch out for?
The regulatory framework is complex and the cost of compliance is high. Mandatory independent assurance and attestation requirements are an additional operational cost, and skilled resource (and specialist technology) may be needed to monitor the associated controls on a long term basis. Elements such as these must be factored into the risk profile, as additional IT and operational risk and mitigated accordingly.
There are plenty of opportunities for growth
One of the most important elements across payments regulations is that customer data is protected. New controls around payments monitoring and Strong Customer Authentication (SCA) aim to reduce fraud and maintain consumer confidence in the sector, but will bring further compliance requirements.
These regulations also bring opportunities to develop new service offerings and to make the most of an industry which is developing in all directions. Early adopters will have opportunities to branch out and develop a good market share.
What should you do now?
Compliance is paramount and there’s a lot going on in this space. It is important to fully understand these regulations – and how they interact with each other. You should undertake a controls mapping exercise against each piece of regulation to check for any gaps or duplication of efforts.
Once this is in place, you should design a target operating model to embed the necessary controls in line with industry best practice. Technology develops quickly and today’s best practice is tomorrow’s regulation. It’s important to continually horizon scan and check for potential new developments, adopting best practice from an early stage may help future proof your business and help you grow your market share.
For further information on how we can help, please contact Paul Olukoya.