Article

PSD2 – Are your reporting processes in place?

Paul Olukoya Paul Olukoya

Under the second Payment Services Directive (PSD2), multiple technical standards came into force on 14 September - and it’s been a tough journey for the sector.

Not only was the regulation broad in scope but it brought significant technical challenges, leading to a Financial Conduct Authority (FCA) extension for strong customer authentication (SCA) elements.

As the sector catches up with the regulation, it’s time to turn our attention to the mandatory reporting requirements, which have been largely overlooked in the rush to achieve compliance. Firms should make sure the necessary reporting requirements are in place and that the data will be available in the appropriate format.

Recapping the requirements

The key reporting requirements are as follows (note the list is not exhaustive):

  • Fraud reporting: Depending on the type of institution, firms must submit a fraud report either once or twice a year. This includes coverage of the regulatory technical standards, and common and open standards of communication. SCA is included in the reporting requirements but firms under the extension are exempt from this element in the first wave. Broadly speaking, the report should include information on:
    • credit transfers, direct debits, cash withdrawals, e-money and remittance
    • volume and value of transactions
    • geographical location.

The report requires a specific reporting template REP017, which should be completed and uploaded via the FCA's online reporting platform, Gabriel.

  • Security measures: As part of the new UK Payment Services Regulations 2017, the FCA has mandated that all payment service providers should complete and submit an annual assessment of their operational/security risks, mitigation and control mechanisms related to payment services. This must include an audit of the IT security measures by independent auditors. Our payments security subject matter experts can support you in completing the required risk assessments and independent security audits
  • Availability and reporting of dedicated interfaces (REP020): Account Servicing Payment Service Providers (ASPSPs) providing a dedicated API must make this return on a quarterly basis, via Gabriel. Giving details of the availability and performance of the API, it should continue to reflect the conditions required for the exemption to the fallback under SCA requirements. This information should also be available on the ASPSP’s website.
  • Problems with an API: If there is a problem with an API, market participants (ASPSPs, AISPs, PISPs and CBPIIs) must promptly notify the FCA via Connect. This should include details of the issue – such as non-compliance with SCA standards or temporary unavailability and dates and times.

Addressing the challenges

As with any reporting, the key challenge is accurate and insightful data. Firms must establish effective processes to collect and analyse this data, in an appropriate format for reporting. Effective governance processes can make sure the reporting data is used to support ongoing improvement processes and quality assurance in the long term.

For further information on reporting and notification processes under PSD2, please contact us.

Article
PSD2 - understanding eIDAS and TPPs directory services Find out more
Article PSD2 – getting to the bottom of ‘wide usage’ Find out more