The revised Payment Services Directive (PSD2) entered into force in the EU on 12 January 2016 and will apply as of 13 January 2018. The PSD2 confers 11 mandates on the European Banking Authority (EBA), one of which relates to the development, in close cooperation with the European Central Bank (ECB), of guidelines on the security measures for operational and security risks of payment services (the Guidelines) (Article 95 of PSD2).

The EBA has now issued a consultation paper on the Guidelines. In particular, the EBA proposes that the Guidelines cover the governance of the operational and security risk management framework, the risk management and control models, outsourcing, the identification, classification and risk assessment of functions, processes and assets, as well as the protection of the integrity of data, systems and confidentiality, physical security and asset control.

The Guidelines also cover:

• monitoring, detection and reporting of security incidents;
• business continuity management, scenario-based continuity plans including their testing, incident management and crisis communication;
• the testing of security measures;
• situation awareness and continuous learning; and
• the management of the relationship with payment service users.

The deadline for comments on the consultation paper is 7 August 2017. A public hearing will be held on 20 June 2017 at the EBA’s premises. The Guidelines will apply from 13 January 2018.

The Guidelines are one of three security related mandates conferred on the EBA in PSD2, and that the EBA has developed in cooperation with the ECB. They complement the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication that were submitted to the European Commission for adoption on 23 February 2017, and the Guidelines on Major Incidents Reporting for which public consultation finished on 7 March 2016.

View EBA consults on PSD2 guidelines on security measures for operational and security risks, 5 May 2017