List of Q&As

Responsibility for comprehensive assessment according to Article 95(2) PSD2

It is not clear, whether comprehensive assessment of the operational and security risks relating to the payment services has to be carried out by the payment service providers (PSP), or it can be delegated / outsourced to a third entity (e.g. external audit firm). In case this is a responsibility of the PSP, it is not clear, whether it has to be carried by the independent internal audit department, or it has to be carried out by the department responsible for the risk function in the PSP.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17

ID: 2018_4231 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 19/07/2019

Does transaction monitoring need to be real time?

Article 2(1) of the RTS stipulates that "payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions…" and Article 2(2) explains the minimum requirements.However, Article 2 does not specify timing aspects of the transaction monitoring.Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4090 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 10/07/2018 | Date of publication: 05/10/2018