In recent years the payment industry has changed beyond recognition. Technological developments such as internet and mobile payments offer consumers real alternatives to the traditional payment landscape. However, such services have found it extremely difficult to break the monopoly that the banks have traditionally held over the industry. This was a point acknowledged by the European Union, as such introducing the revised Payment Service Directive (‘PSD2’), increasing innovation and improving market access for payment service providers.
The EU has attempted to increase market access to new businesses by opening the EU payment industry to two new payment ancillary services:
- • Account Information Service Providers (AISP), an online service to provide consolidated information from a customer’s payment account(s)
- • Payment Initiation Service Providers (PISP), a service to initiate a payment order at the request of a customer from one payment account to another
PSD2, implemented in January 2018, acknowledged the increased security risk relating to electronic payments due to the ‘growing technical complexity of electronic payments.’ The directive, therefore, set out rules concerning:
- • strict security requirements for electronic payments
• transparency of conditions and information requirements for payment services;
• the rights and obligations of users and providers of payment services.
The Financial Conduct Authority (‘FCA’) requires that all applicants seeking authorisation as a payment service provider provide a robust suite of IT security policy and procedures alongside a detailed risk assessment. Along with this, recent EBA guidance has established that the security measures, set out in the EBA guidelines, must be audited, by an operationally independent individual with ‘expertise in IT Security and Payments’ and that the frequency and focus of such audits should take the corresponding PSP’s IT security risks assessment into account.
Thistle Initiatives can help ease this regulatory burden imposed on firms. The Payment Services team are highly knowledgeable in the regulatory requirements imposed on firms operating in this industry. The team will use its experience to provide a tailored solution to your firm.
Some of the ways in which the team can help your firm include but are not limited to:
FCA applications/re-authorisation: To submit your application to become a Payment Services Provider an applicant must have in place the requisite documentation. This will include documents such as a regulatory business plan, a suite of compliance policies and procedures and an IT security risk assessment. Thistle can assist you with template documents and work with you to tailor these to your firm’s specific requirements. Thistle can also do a gap analysis on the policies and procedures currently in place and help you action any outstanding points.
Auditing: The team is also experienced in conducting audits on firms operating within the payment industry, these audits can be based on general compliance matters or can be tailored to address any specific areas required such as IT systems, complaints policies and procedures and training programmes. In addition, in line with the European Banking Authorities, final report “Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2016/2366 (PSD2)” Thistle can conduct a joint audit with an operationally independent individual with expertise in IT Security and Payments’ to meet the regulatory testing framework requirements.
Financial Crime Policy and Procedures: The Payment Services team works closely with the Financial Crime team and is well versed in assisting payment firms in updating their policies and procedures in line with a risk-based approach, as required by the Money Laundering Regulations 2017
Regulatory Returns: We can help you should you need any assistance with submitting regulatory returns on GABRIEL.