PSD2 reporting requirements: Banks’ to-do list
Did you know that the scope of the changes introduced by the PSD2 actually goes far beyond introducing APIs and forcing banks to provide access to their customers’ accounts to third party providers (TPPs)? Indeed, much has been written about the introduction and regulation, enforced by PSD2, of new payment service providers. This paradigm shift has sometimes overshadowed other key principles introduced by the Second Directive on Payments such as, new rules around European payment market (one-leg operations, retrospective value date, floating day), protection for consumers (transparency, information obligation), and more specifically reporting requirements.
This is why banks (Account servicing payment providers – ASPSP) should carefully analyse their reporting obligations under PSD2 applicable since July 20th, 2018 (date of the transposition of the Directive into the Luxembourg Law) and anticipate their implementation. Without being exhaustive, we have highlighted some important reporting aspects and tried to give some quick tips to help you getting ready:
To prepare for the full implementation of the Security measures for operational and security risks reporting (RTS on SCA & EBA/GL/2017/17), ASPSPs should proactively define a risk management framework, including a security policy document. Besides, defining the required procedures and systems to identify, measure, monitor and manage the range of risks stemming from the payment-related activities of the PSP and to which the PSP is exposed to (including business continuity arrangements) is part of the process leading to an accurate security risk reporting framework and setup. Finally, ASPSPs should not forget to ensure the effectiveness of the security measures set out in the RTS guidelines when operational functions of payment services, including IT systems, are outsourced.
Major incident reporting (EBA/GL/2017/10) also has to be handled by ASPSPs under PSD2. In order to meet PSD2 requirements, ASPSP should proactively set up process to classify incident based on impact level criteria, define an incident notification process (including initial, intermediate and final report) and review internal operational and security policy.
“ASPSPs should not forget to ensure the effectiveness of the security measures set out in the RTS guidelines when operational functions of payment services, including IT systems, are outsourced.”
Last but not least, Fraud Reporting (EBA/GL/2018/05) represents one major pillar of reporting requirements under PSD2. In that perspective Banks need to set up processes and tools that enable them to monitor unauthorised payment transactions, including as those processed as a result of the loss, theft or misappropriation of sensitive payment data or of a payment instrument, and report unauthorised payment transactions to the regulator (including statistical information per payment channel and authentication methods).
In the light of PSD2 requirements, and if not done yet, ASPSPs should ask the right questions: am I able to manage this internally, knowing that IT, risk management and compliance teams would have to work in close collaboration? Or do I prefer to rely on a consultancy firm aiding with change and reporting management?
As a FinTech player, Finologee is providing a PSD2 Compliance product and platform enabling any financial institution holding payment accounts to meet PSD2 technical requirements quickly and easily. PSD2 Compliance for Banks, its processes and flows have been designed and developed accordingly to match PSD2, RTS and related provisions and obligations. Finologee’s product encompasses the security layer and access to account rules relying and fully compliant with the EBA guidelines and the PSD2 directive (based on audit trails, statistics on TPP access).
Finologee has set up partnerships with consultancy firms to provide high quality and fully customisable regulatory reporting services tailored to its clients’ particular setups and requirements. PSD2 reporting requirements are indeed multi-dimensional, multi-context and need to tap into various sources and channels. Thus, adequate aggregation and customisation become a requirement. Both Finologee’s product and projects management plans take into account this specific need.