Responsibility for comprehensive assessment according to Article 95(2) PSD2
It is not clear, whether comprehensive assessment of the operational and security risks relating to the payment services has to be carried out by the payment service providers (PSP), or it can be delegated / outsourced to a third entity (e.g. external audit firm). In case this is a responsibility of the PSP, it is not clear, whether it has to be carried by the independent internal audit department, or it has to be carried out by the department responsible for the risk function in the PSP.
Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17
ID: 2018_4231 |
Topic: Strong customer authentication and common and secure communication (incl. access) |
Date of submission: 06/09/2018 |
Date of publication: 19/07/2019