Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article 3 Review of the security measures
Disclose name of institution / entity:
Type of submitter:
Accounting firm
Subject Matter:
Review of the security measures: Audit report

Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?

If a separate report should be used: Are there any templates available for reporting?

Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?

Background on the question:

Audit firms want to know when an audit report is of the adequate audit standard and has sufficient detailed information in order to be assessed by the national authority.

Based on the sentence: "This audit shall present an evaluation and report on the compliance of the payment service provider’s security measures with the requirements set out in this Regulation" it may suffice to state in the report that compliance is met or not. However, it would appear to be desirable that the report contains detailed information on compliancy per article of the RTS in case the specific article applies to the payment service provider that is being audited. And in case not each requirement is met, that the auditor assesses the risk of fraud or other unauthorized activities (such as data leakage or destruction).

Date of submission:
Published as Final Q&A:
Final Answer:

Article 3(3) of the Commission Delegated Regulation (EU) 2018/389 states that the “audit shall present an evaluation and report on the compliance of the payment service provider's security measures with the requirements set out in this Regulation”. This Regulation does not specify the format of the audit or the format or length of the audit report. If the payment service provider would like this audit to be conducted together with other audits on security measures, such an option is not excluded by the Regulation, provided that the auditors have “expertise in IT security and payments and be operationally independent within or from the payment service provider” and that they are conducted with the same frequency as foreseen in Article 3(2) of this Regulation. While the report may form part of a wider report, it should be extractable and isolated from the rest of any such report given the requirement in Article 3(3) for the report to be available to competent authorities upon request.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.