Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?
And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?
In Article 3 paragraph 3 it is mentioned that "The entire report shall be made available to competent authorities upon their request". This does not directly state that each report will be monitored by the competent authorities. It is not clear what the rationale behind this is (why would some reports not be requested and monitored by the competent authorities?).
As stated in Article 3 of the Commission Delegated Regulation (EU) 2018/389, the audit “report shall be made available to competent authorities upon their request”. Competent authorities will therefore establish whether or not they wish to request such a report. In addition, whether or not the competent authority is involved, and similar to any type of audit report, every payment service provider is expected to act on significant findings and weaknesses identified to ensure those are adequately addressed. The payment service provider may also wish to proactively inform the competent authority.