Presentation is loading. Please wait.

Presentation is loading. Please wait.

Neopay Practical Guides #2 PSD2 (Should I be worried?)

Published byGunnar Nielsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Neopay Practical Guides #2 PSD2 (Should I be worried?)"— Presentation transcript:

1 Neopay Practical Guides #2 PSD2 (Should I be worried?)

2 Overview PSD2 seeks principally to build on the practices and regulation set out in PSD1 and the two Electronic Money Directives Further, PSD2 addresses some of the conflicts between the Electronic Money Directives and the original PSD1 Adopted by the EU on 25 November 2015 To be transposed into national law by all member states by 13 January Transitional arrangements to be announced within the next few months

3 Key impacts on existing firms
Draft transitioning requirements Existing firms will need to transition their existing authorisation to the new PSD2 regime. This is not a full application, but rather an assessment of how the firm is positioned to deal with the new requirements Consultation is still not completed (indeed a number of States have yet to issue any guidance, draft or otherwise) so this must be considered draft information potentially subject to change It should also be noted that all firms will be given sufficient time to meet the new requirements, implement the changes and submit them for approval

4 Key impacts on existing firms
Draft transitioning requirements Key requirements include: Procedures for incident reporting Processes to file, monitor, track and restrict access to sensitive payment data Description of the principles and definitions firms apply to collecting statistical dat on performance, transactions and fraud Arrangements for business continuity and the testing of these procedures Security policy document Descriptions of checks on Agents and Branches Details of Professional Indemnity Insurances held

5 Key impacts on existing firms
Draft transitioning requirements Procedures for incident reporting Procedures to meet the requirements to monitor, handle and follow up on security incidents and security-related customer complaints. The procedures for the reporting of incidents, including the communication of these reports to internal or external bodies.

6 Key impacts on existing firms
Draft transitioning requirements Processes to file, monitor, track and restrict access to sensitive payment data lists of the data classified as sensitive payment data procedures in place to authorise access to the sensitive payment data description of the monitoring tool access right policy how the collected data is registered

7 Key impacts on existing firms
Draft transitioning requirements Processes to file, monitor, track and restrict access to sensitive payment data expected internal and/or external use of the collected data IT system and technical security measures identification of the individuals with access to the sensitive payment data explanation of how breaches will be detected and addressed annual internal control program in relation to the safety of the IT systems

8 Key impacts on existing firms
Draft transitioning requirements Principles and definitions they apply for collecting statistical data on performance, transactions and fraud. type of data that is collected, in relation to customers, type of payment service, channel, instrument, jurisdictions and currencies scope of the collection means of collection purpose of collection frequency of collection service level agreements with outsourcing partner(s) organisational measures and tools for the prevention of fraud reporting lines in case of fraud

9 Key impacts on existing firms
Draft transitioning requirements Arrangements for business continuity and the procedure for testing and reviewing these plans a business impact analysis, including the business processes and recovery objectives, such as recovery time objectives, recovery point objectives, and protected assets; identification of the back-up site, access to IT infrastructure, and its key software and data to recover from a disaster or disruption; explanation of how the applicant will deal with significant continuity events and disruptions, such as the failure of key systems; the loss of key data; inaccessibility of premises; and loss of key persons; frequency with which the applicant intends to test the Business Continuity and Disaster Recovery Plans, including how the results of the testing will be recorded; and description of the mitigation measures to be adopted by the applicant, in case of termination of its payment services, to avoid adverse effects on payment systems and on payments services users ensuring execution of pending payment transactions and termination of existing contracts.

10 Key impacts on existing firms
Draft transitioning requirements A security policy document. This will include a detailed risk assessment and mitigation measures to adequately protect payment service users against identified risks, including fraud and illegal use of sensitive and personal data. The security policy document should contain the following information: a detailed risk assessment of the payment service(s) the applicant intends to provide, which should include risks of fraud and the security control and mitigation measures taken to adequately protect payment service users against the risks identified. a description of the IT systems an exhaustive list of authorised connections from outside with partners, service providers, entities of the group and employees of the applicant working remotely - specifying the control the applicant will have over these accesses as well as the nature and frequency of each control the logical security measures and mechanisms that govern the internal access to IT systems

11 Key impacts on existing firms
Draft transitioning requirements A security policy document. the physical security measures and mechanisms of the premises security of the payment processes, which should include: i. the customer authentication procedure; ii. integrity of authentication factors such as hardware tokens and mobile application iii. a description of the systems and procedures that the applicant has in place for transaction analysis and identification of suspicious or unusual transactions. a detailed risk assessment in relation to its payment services, including fraud a list of the main written procedures in relation to the applicant’s IT systems

12 Key impacts on existing firms
Draft transitioning requirements Description of checks on agents and branches. a mapping of the off-site and on-site checks that the applicant intends to perform at least annually on branches and agents and their frequency the IT systems, processes and infrastructure which are used by the applicant’s agents to perform activities on behalf of the applicant; the main characteristics and key points of the mandate agreement containing the full terms of the mandate, selection policy, monitoring procedures and agents’ training.

13 Key impacts on existing firms
Draft transitioning requirements Professional indemnity insurance held The applicant for the provision of payment initiation services or account information services should provide the following information: an insurance contract or other equivalent document confirming the existence of the professional indemnity insurance or comparable guarantee a record of how the applicant has calculated the minimum amount The European Banking Authority is also developing guidelines for competent authorities, e.g. EU regulators, on the exact information required for authorisation and registration. More information on the EBAs approach can be found on the EBA website.

14 Key impacts on existing firms
So should I be worried? What should I do now?

15 Questions?

16 Craig James – Chief Executive Officer
Neopay Ltd W: E: T: +44(0) D: +44(0) Neopay US W: E: T: F: © Neopay Ltd 2016

Download ppt "Neopay Practical Guides #2 PSD2 (Should I be worried?)"

Similar presentations

Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.

Information System Assurance Practices in China Key players doing IS Assurance In China Regulatory Regime and Professional Organizations -Regulatory AuthoritiesRegulatory.
Contractor Safety Management

Contractor Safety Management
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.

G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.

Similar presentations

Ads by Google