On 28 November 2019, the European Banking Authority (EBA) published its final guidelines on ICT and security risk management (the Guidelines).

The Guidelines are addressed to financial institutions, which for these purposes are: payment services providers (PSPs) as defined in Article 4(11) of the revised Payment Services Directive (PSD2) and credit institutions and investment firms subject to the Capital Requirements Regulation. The Guidelines also apply to Member State competent authorities.

The Guidelines set out expectations on how all financial institutions should manage internal and external information and communication technology (ICT) and security risks that they are exposed to. The Guidelines also provide financial institutions with a better understanding of supervisory expectations for the management of the aforementioned risks, covering sound internal governance, information security requirements, ICT operations, project and change management and business continuity management.

In addition, the guidelines cover the management of PSPs’ relationship with payment service users to ensure that users are made aware of the security risks linked to the payment services, and are provided with the tools to disable specific payment functionalities and monitor payment transactions.

The Guidelines build on the provisions of Article 74 of the Capital Requirements Directive IV that mandate the EBA to further harmonise financial institutions’ governance arrangements, processes and mechanisms across the EU regarding internal governance, and derive from the mandate to issue guidelines in Article 95(3) of the PSD2 with regard to the establishment, implementation and monitoring of security measures for operational and security risks. The guidelines also respond to the European Commission’s FinTech Action plan request for the EBA to develop guidelines on ICT risk management and mitigation requirements in the EU financial sector.

The Guidelines will enter into force on 30 June 2020. The guidelines on security measures for operational and security risks under PSD2 issued in 2017 have been fully integrated into the Guidelines and will be repealed once the Guidelines become applicable.