On 12 December 2017 the European Banking Authority published final Guidelines(link is external) on security measures for operational and security risks of payments services under the revised Payment Services Directive ('the Guidelines').
All payment service providers (PSPs) will be expected to comply with the Guidelines from 13 January 2018 in addition to the requirements set out in Regulation 98 (Management of operational and security risks) of the Payment Services Regulations 2017. This includes firms undertaking account information and payment initiation services.
The Financial Conduct Authority will comply with these Guidelines. We will consult on our approach to applying these Guidelines and our expectations on PSPs’ future reporting requirements in 2018. Businesses wishing to apply for authorisation or registration (and PSPs re-applying) should bear in mind that applications must contain a statement of the applicant’s security policy, including a description of the applicant’s measures to comply with Regulation 98(1), taking into account the Guidelines.