Neopay Practical Guides #2 PSD2 (Should I be worried?)

Overview PSD2 seeks principally to build on the practices and regulation set out in PSD1 and the two Electronic Money Directives Further, PSD2 addresses some of the conflicts between the Electronic Money Directives and the original PSD1 Adopted by the EU on 25 November 2015 To be transposed into national law by all member states by 13 January 2018 Transitional arrangements to be announced within the next few months

Key impacts on existing firms Draft transitioning requirements Existing firms will need to transition their existing authorisation to the new PSD2 regime. This is not a full application, but rather an assessment of how the firm is positioned to deal with the new requirements Consultation is still not completed (indeed a number of States have yet to issue any guidance, draft or otherwise) so this must be considered draft information potentially subject to change It should also be noted that all firms will be given sufficient time to meet the new requirements, implement the changes and submit them for approval

Key impacts on existing firms Draft transitioning requirements Key requirements include: Procedures for incident reporting Processes to file, monitor, track and restrict access to sensitive payment data Description of the principles and definitions firms apply to collecting statistical dat on performance, transactions and fraud Arrangements for business continuity and the testing of these procedures Security policy document Descriptions of checks on Agents and Branches Details of Professional Indemnity Insurances held

Key impacts on existing firms Draft transitioning requirements Procedures for incident reporting Procedures to meet the requirements to monitor, handle and follow up on security incidents and security-related customer complaints. The procedures for the reporting of incidents, including the communication of these reports to internal or external bodies.

Key impacts on existing firms Draft transitioning requirements Processes to file, monitor, track and restrict access to sensitive payment data lists of the data classified as sensitive payment data procedures in place to authorise access to the sensitive payment data description of the monitoring tool access right policy how the collected data is registered

Key impacts on existing firms Draft transitioning requirements Processes to file, monitor, track and restrict access to sensitive payment data expected internal and/or external use of the collected data IT system and technical security measures identification of the individuals with access to the sensitive payment data explanation of how breaches will be detected and addressed annual internal control program in relation to the safety of the IT systems

Key impacts on existing firms Draft transitioning requirements Principles and definitions they apply for collecting statistical data on performance, transactions and fraud. type of data that is collected, in relation to customers, type of payment service, channel, instrument, jurisdictions and currencies scope of the collection means of collection purpose of collection frequency of collection service level agreements with outsourcing partner(s) organisational measures and tools for the prevention of fraud reporting lines in case of fraud

Key impacts on existing firms Draft transitioning requirements Arrangements for business continuity and the procedure for testing and reviewing these plans a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets; identification of the back-up site, access to IT infrastructure, and its key software and data to recover from a disaster or disruption; explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; inaccessibility of premises; and loss of key persons; frequency with which the applicant intends to test the Business Continuity and Disaster Recovery Plans, including how the results of the testing will be recorded; and description of the mitigation measures to be adopted by the applicant, in case of termination of its payment services, to avoid adverse effects on payment systems and on payments services users ensuring execution of pending payment transactions and termination of existing contracts.

Key impacts on existing firms Draft transitioning requirements A security policy document. This will include a detailed risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of sensitive and personal data. The security policy document should contain the following information: a detailed risk assessment of the payment service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect payment service users against the risks identified. a description of the IT systems an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely - specifying the control the applicant will have over these accesses as well as the nature and frequency of each control the logical security measures and mechanisms that govern the internal access to IT systems

Key impacts on existing firms Draft transitioning requirements A security policy document. the physical security measures and mechanisms of the premises security of the payment processes, which should include: i. the customer authentication procedure; ii. integrity of authentication factors such as hardware tokens and mobile application iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions. a detailed risk assessment in relation to its payment services, including fraud a list of the main written procedures in relation to the applicant’s IT systems

Key impacts on existing firms Draft transitioning requirements Description of checks on agents and branches. a mapping of the off-site and on-site checks that the applicant intends to perform at least annually on branches and agents and their frequency the IT systems, processes and infrastructure which are used by the applicant’s agents to perform activities on behalf of the applicant; the main characteristics and key points of the mandate agreement containing the full terms of the mandate, selection policy, monitoring procedures and agents’ training.

Key impacts on existing firms Draft transitioning requirements Professional indemnity insurance held The applicant for the provision of payment initiation services or account information services should provide the following information: an insurance contract or other equivalent document confirming the existence of the professional indemnity insurance or comparable guarantee a record of how the applicant has calculated the minimum amount The European Banking Authority is also developing guidelines for competent authorities, e.g. EU regulators, on the exact information required for authorisation and registration. More information on the EBAs approach can be found on the EBA website.

Key impacts on existing firms So should I be worried? What should I do now?

Questions?

Craig James – Chief Executive Officer Neopay Ltd W: www.neopay.co.uk E: craigjames@neopay.co.uk T: +44(0)207 404 4744 D: +44(0)7515 419 009 Neopay US W: www.neopay.us E: info@neopay.us T: +1-424-284-4068 F: +1-424-284-4001 www.neopay.co.uk info@neopay.co.uk © Neopay Ltd 2016