PSD2 (Payment Services Directive) future audit considerations
This guidance is relevant to internal auditors within financial services.
PSD2 (Payment Services Directive 2) entered into force in the EU in January 2018. Impacting any organisation facilitating payments, PSD2 requires a range of controls to be embedded into governance over business processing as well as the supporting technology, to enhance the management and protection of payment transactions.
It recaps the changes that organisations may have been through since 2018 and makes suggestions for audit engagements going forward.
Extracted from a Europa.eu article
The main objectives of the PSD2 are (i) to contribute to a more integrated and efficient European payments market; (ii) to further level the playing field for payment service providers by including new players; (iii) to make payments safer and more secure; and (iv) to enhance protection for European consumers and businesses. In other words, the PSD2 supports innovation and competition in retail payments and enhances the security of payment transactions and the protection of consumer data
The PSD2 is supplemented by regulatory technical standards on strong customer authentication and common and secure open standards of communication, as well as guidelines on incident reporting and guidelines on security measures for operational and security risks.
Over the past few years, organisations may have implemented a number of changes to comply with PSD2 (depending on types of payment services they provide). Highlighted below are some of the key activities an organisation may have performed:
- Strong Customer Authentication (SCA): Implementing additional authentication checks (eg dynamic linking – see below) for customers making Payments (across all customer journeys eg e-commerce, internet banking etc).
- Dynamic linking: requires that an authentication code for each transaction must be unique, is specific to the transaction amount and recipient, and that both amount and recipient are made clear to the payer when authenticating. An example of its use is the unique code you receive to authenticate a credit card payment
- Application Programming Interface (APIs): Implementing externally facing APIs to allow authorised third parties to access data and provide aggregated account information and payment initiation services.
- Customer Consent: Implementing a central customer consent registry to confirm which third party account aggregation or payment initiation service providers customers have signed up to.
- Public Interest: PSD2 requires payment account providers (mostly banks) to give access to trusted third parties to tap into a customer’s financial information, and even initiate payments.
- Payment Fees: Reviewing payment fees across all payment methods to confirm they are in line PSD2. Specifically, removing any additional fees applied due to a specified payment method which are not allowed under PSD2 (eg surcharges for paying by credit card vs debit card).
- Reg 98 Reporting: Implementing quarterly reporting on security and operational resilience risks over payment services provided to customers which is also reported to the FCA, this requires an extensive risk assessment framework to support the reporting which is done under REP018.
Impact of PSD2 on Internal Audit
Whilst organisations have been implementing changes to comply with PSD2, internal audit functions may have played a key role in supporting the safe, secure and sustainable delivery of PSD2 compliant solutions. Audit coverage over the past few years may have been focussed on the below approaches:
- Change Activities: Audits over the implementation of PSD2 compliant solutions (such as SCA etc). It is noted that the majority of PSD2 changes should have now delivered therefore internal audit would focus on auditing the ongoing operation of PSD2 controls.
- PSD2 Required Audits: There are some audit requirements stated within the Regulatory Technical Standards for SCA. Specifically, (i) regular audit of SCA measures and (ii) audit of the methodology, model and reported fraud rates to which payment service providers are subject if they apply an exemption (based on transaction risk analysis in real time).
- Input into Reg 98 Reporting: As part of an organisation’s quarterly reporting on security and operational resilience risks over payment services, there is a requirement to include applicable internal audits performed in the same period, as well as any findings and management actions raised. The impact of this requirement shouldn’t be underestimated and should include the risk assessment framework supporting the reporting.
- identifying the correct payment flows in scope for SCA.
- identifying and making provision for SCA or fraud liability in a multi-party/vendor payment chain.
- identifying the correct legal entities and applicable data for TRA and fraud calculations.
- dynamically linking the authentication code to the amount of the payment and the payee.
- failure to inform the payer of the amount of payment and payee before they confirm payment.
- error messages which inform the customer of which element of the authentication has failed.
- the use of an email address to satisfy the possession element when that address is not linked to a device.
- challenges with monitoring fraud rates when using the exemptions available from SCA implementation.
Considerations for future Internal Audit work on PSD2
As PSD2 has embedded, audit activity has shifted from reviewing change programmes to the ‘business as usual’ environment. In addition to the mandatory annual audits required by the regulation, chief audit executives may wish to consider the below areas to audit as part of a risk-based plan. Further, the following key risks may also be in scope of the audits: Cyber, Operational Resilience, Data, Change, Regulatory, Fraud and Strategy.
- Cyclical coverage: Regular coverage of solutions implemented to achieve PSD2 compliance. Audits should be assessing whether ongoing compliance is maintained. Further, Internal Audit teams should be considering requirements on SCA and contribution to Reg 98 reporting.
- Strategy: Auditing of organisation’s payment strategy. PSD2, as well as Open Banking in the UK, has opened up data in traditional Banks creating lower barriers to entry. There has been a significant increase in new entrants providing account aggregation and payment initiation services, creating new value propositions for customers. It is important that organisations have fully considered opportunities provided by PSD2 and the role it will play in the future broader payments ecosystem.
- Customer Experience: Whilst solutions may be implemented to deliver PSD2 compliance, audits should be considering the customer impact of these changes. For example, are payment services with SCA frictionless or do they require significant customer effort to provide the additional authentication? Solutions with a poor customer experience may drive payment activity to less secure methods. This becomes increasingly important once Consumer Duty regulations come into force.
- Fraud Detection and Prevention: Reviewing fraud detection and prevention solutions to confirm these have been updated to perform fraud checking over PSD2 processes (integration of SCA information, risk indicators around payments initiated through external channels etc).
- Future Proofing: Have strategic PSD2 compliant solutions been implemented, future proofed and able to accommodate future customer growth?
- Equivalence: Is the same level of resilience applied to your API channel (used by third party providers) versus your own customer internet banking channel?
- Security: Reviewing security controls over the end to end processes implemented for PSD2 (such as SCA, APIs etc).
- Data: Reviewing data management controls over key PSD2 data (such as customer consent, additional security information (accuracy of mobile phone numbers for one time passcodes) etc).
As with any large regulatory and infrastructural change, the cost of compliance can be high. The mandatory requirements are an additional factor to already costly operational considerations, and resources or specific technologies may be required to monitor controls on an ongoing basis. This brings an extra element of operational and IT risk to the equation, meaning that firms will have to do a thorough overview of their systems and business operations to integrate PSD2 effectively into their organisation.
The organisation needs to maximise the potential for growth by embracing the changes. Notably, there are now more opportunities to increase market share by leveraging payment initiation and account information aggregation. By getting it right the first time, firms can improve their customer assurance and get ahead on developing progressive systems to embrace payment services.
PSD2 has materially changed the payments ecosystem providing new risks and opportunities which organisations need help in navigating safely. Internal audit has and will continue to play a key role in supporting organisations comply and safely exploit PSD2 opportunities, providing valuable assurance to internal and external stakeholders.
FCA : Handbook
Content reviewed: 16 August 2023