14 June 2024
Independent reviews to protect e-money and payment services
As a payment service provider, you may be required to complete annual self-certification assessments to ensure that the standards you operate under satisfy both regulatory and industry requirements. These assessments aim to strengthen the security, integrity and resilience of the technology infrastructure supporting payment services. This is done to protect consumers, ensure smooth and timely operations and preserve market and consumer confidence.
By having a more robust control framework, your payment systems and services can comply with regulatory and industry-driven good practices. This provides a stronger defence against the risk of cyber-attacks and fraud. It also allows you to gain further confidence to increase your consumer services and transaction volumes. The ultimate aim is to improve your commerciality and maintain the pre-eminence of the UK payments and e-commerce sector as consumers become increasingly sophisticated with modern trends in digital and online commercial activities.
E-commerce activity and digital payments are key drivers of the UK economy. Therefore, it is vital for industry, regulators and professional services to work closely together to maintain the security, resilience and integrity of payment infrastructures while protecting consumer interests and funds.
We provide assurance that your controls around payments systems and services, as well as your self-certification attestations, adhere to industry and regulatory requirements. This demonstrates that you are offering secure and resilient services to consumers.
The UK is a world leader in the innovation and implementation of open banking and the provision of digital banking and payment services. This leadership is led by established banking institutions and complemented by modern fintech firms that are increasing consumer choice and changing individual financial management and spending behaviours.
We can help you with
PSD2/PSD3 and open banking implementation
- Development and implementation of APIs (production and sandbox).
- Availability and resilience of APIs.
Transaction monitoring, Transaction Risk Analysis (TRA) and Strong Customer Authentication (SCA)
- Review of TRA methodology.
- Review of design and implementation of transaction monitoring mechanisms.
- Review of design and implementation of SCA (technologies and controls implemented for different payment channels, such as online banking, mobile banking and cards).
- Review processes to identify and implement exemptions from the application of SCA, including TRA.
SCA Exemptions and TRA
- Review processes to identify and implement exemptions from the application of SCA.
- TRA – design, approval, implementation and monitoring.
Fraud rate calculations
- Review methodologies to calculate the fraud rates for different payment channels.
- Review documentation of methodology to calculate fraud rates.
FCA regulatory reporting (REP108)
- Assurance over operational and security risk self-assessment.
Case studies
- UK private and commercial bank
- UK building society
- Electronic money institution
- UK fintech mobile bank
UK private and commercial bank
PSD2 Review – Open banking, SCA, TRA
Overview
We performed an audit of the client’s design, build and implementation of SCA and TRA for online banking and card payments. This included reviewing controls around the security and resilience of APIs and the SCA technologies deployed on both channels.
We reviewed the client’s TRA and fraud rate calculation processes and validated a set of calculated fraud rates based on payment types and exemption threshold values defined in the PSD2 directive.
- We used our knowledge of relevant requirements to baseline our review.
- The Payment Services Regulation 2017.
- The EU directives on payment services and on regulatory technical standards for strong customer authentication, as well as common and secure open standards of communication.
- UK Finance SCA Implementation Roadmap.
Outcome
Our audit identified areas where the bank had made progress in achieving compliance with SCA and TRA requirements and validated project plans to ensure the achievement of approaching regulatory deadlines to implement SCA and TRA.
We can also provide the following assurance services to your business:
Faster Payments Scheme (pay.uk)
Faster Payments Scheme (FPS) self-certification over controls to protect the security and integrity of the FPS central infrastructure.Bacs Scheme Trust Code of Conduct (pay.uk)
As a Bacs Direct Participant, you must have a Public Key Infrastructure (PKI) solution (Trust Service) that complies with the requirements set out in the Bacs Trust Service Code of Conduct (TSCoC).Image Clearing System (pay.uk)
Image Clearing System (ICS) participants need to ensure compliance with the technical and operational requirements as detailed in the ICS Specifications.CHAPS Payments Scheme (Bank of England)
Self-certification to attest security and resilience arrangements.SWIFT Payments
Swift Customer Security Programme (CSP) – self-attestation over mandatory and advisory controls within the Customer Security Control Framework (CSCF).PCI DSS Compliance
Assessment of controls required for compliance with the PCI Data Security Standard (PCI-DSS) for card data processing and storage.LINK ATM Certification
LINK ATM self-certification over controls to protect the security and integrity of the LINK ATM network.Confirmation of Payee (COP) Participation (PRA)
Assurance and advice on requirements to participate in the COP scheme.UK building society
LINK ATM self-certification attestation
Overview
We performed an independent assessment of the client’s self-attestation of its core controls within the scope of the LINK ATM assurance statement.
We conducted detailed design and operating effectiveness testing of the controls in scope, following the operating rules and security and code of conduct prescribed by LINK. We assessed the completeness of the responses provided and the quality of the evidence to support the controls attested to. As part of the assessment, we also confirmed that the building society was compliant in most areas and had one non-compliance, with an action plan in place, to report.
Additionally, we reviewed the effectiveness of the building society's certification process and provided recommendations to enhance the process for future certifications.
Outcome
We performed our work in a timely manner, allowing swift client responses and remediations to the findings we identified. Our robust validation and recommendations enabled the client’s management to sign off and submit the statement to LINK in a timely manner. This allowed the client to maintain participation in the scheme.
The client has also been given recommendations to improve its certification process to enable more effective completion of the certification in future years.
Electronic money institution
Cloud Assurance self-certification attestation
Overview
We conducted an independent assessment of the client’s self-attestation of its cloud controls within the scope of the Pay UK assurance statement as a participant in the Faster Payments Service (FPS).
We carried out detailed design and operating effectiveness testing of the controls in scope, following the rules prescribed in the Pay UK Cloud Code of Conduct and Cloud risk policy. We assessed the completeness of the responses provided and the quality of the evidence to support the controls attested to and confirmed that the client was compliant in all areas and had no non-compliances to report.
We used our extensive knowledge of the FPS requirements and cloud security and resiliency risks and controls to critically assess the controls in scope.
Outcome
Our timely work, robust validation and recommendations enabled the client’s management to sign off the statement, allowing for a timely submission to Pay UK. This ensured the client maintained its participation in the FPS scheme.
UK fintech mobile bank
Faster Payments Services (FPS) self-certification assessment
Overview
We performed an independent assessment of the client’s self-attestation of its controls within the scope of the FPS self-assessment questionnaire.
Detailed design and operating effectiveness testing of the controls in scope were conducted, following FPS rules and procedures. We assessed the completeness of the responses provided and the quality of the evidence to support the controls attested to.
Areas of non-compliance were identified and effective, measurable and timely recommendations were provided for the client to address the gaps identified.
We used our extensive knowledge of the FPS requirements gained through working with the larger banks and newer fintechs to critically assess the controls in scope.
Outcome
Our timely work, robust validation and recommendations enabled the client’s executive management to sign off the questionnaire, allowing for a timely submission to the FPS. This ensured the client maintained its participation in the scheme.