REP018 and the 'Corporate Payment Exemption'

  • Posted on: 19 November 2020
  • Written by: Matthew Baxter

The REP018 reporting format, on the face of it, is a simple return to be completed by all Payment Service Providers (PSPs). However, Regulation 98 of the Payment Services Regulations 2017 (PSRs) requires that each PSP provides an updated and comprehensive assessment of their operational and security risks and the adequacy of the mitigation measures and control mechanisms implemented in response to those risks. As a result, the REP018 is an extensive piece of work; not only to implement, but also to maintain on an at least annual basis.

Additionally, the REP018 is now the tool to be used when applying to the Financial Conduct Authority (FCA) to use the Corporate Payment Exemption under Article 17 of the European Banking Authority’s ‘Regulatory Technical Standards on strong customer authentication and secure communication under the Second Payment Services Directive (PSD2)’ (SCA-RTS). As a result, the FCA requires all PSPs to understand and manage their operational and security risks.

Operational and Security Risk Assessment

An Operational and Security Risk Assessment is required by all PSPs at least once annually. In preparing the risk assessment, firms will need to consider the FCA’s guidance notes on completing a REP018 return in SUP 16 Annex 27H of the FCA Handbook. There are three key areas a firm’s risk assessment must cover:

  • The business functions, key processes and information assets that support the payment service, labelled by criticality and assessed against all known risks

  • The mitigation measures currently in place to reduce the impact of any identified risks

  • The results of the risk assessment and actions to be implemented

Undertaking the assessment enables flaws to be identified and addressed, and ensures senior management demonstrate an understanding of the firm’s risk exposure.

The Corporate Payment Exemption

The updated REP018 submission form also includes the opportunity for PSPs to apply for the use of the ‘corporate payment exemption’, an exemption to Strong Customer Authentication (SCA) afforded under SCA-RTS Article 17. An exemption from SCA will allow firms to apply alternative authentication procedures, potentially accelerating the payment process and improving customer experience.  

Informing the FCA that you wish to use the exemption requires the selection of ‘yes’ in response to question 10 of the REP018. The FCA will not simply approve a corporate payment process without due assessment of the process itself. The FCA has information requirements in place to ensure that any implementation is appropriate and in line with Article 17 of SCA-RTS and firms must be aware that the exemption should not be applied until approval has been received from the FCA.

Five Tips for the Corporate Payment Exemption

  1. In order to allow the FCA to appropriately assess the corporate payment process you are looking to implement, it is advised to include your assessment of the process within the Operational and Security Risk Assessment. Within the assessment, you must clearly show the type of payment services you wish to provide when relying on the exemption and you must provide an explanation of the processes and protocols you have in place to guarantee security.

  2. An important expectation the FCA has is that the PSP must be satisfied that the corporate payment process guarantees at least equivalent levels of security to those provided by PSD2. Including this statement within your risk assessment, only if you are satisfied it is true, will provide comfort to the FCA and ensure your submission meets their expectations.

  3. Consider obtaining an annual independent audit of the dedicated payment processes or protocols. This is not enforced by the FCA, but section 20.63 of the current FCA’s Approach Document (as at 19 November 2020) indicates that it's advisable for PSPs to consider an additional layer of assurance to their own review of the process.

  4. Following approval, it is advisable to regularly review the security of the corporate payment process as part of the quarterly REP018 Risk Assessment. Although there is only the requirement to submit the actual risk assessment once per calendar year, reconsideration of the need for submission should take place quarterly to ensure any arising risks are accounted for and mitigated. As part of this process, you should ensure the information regarding the corporate payment process is reflective of your current process.

  5. Ensure you submit an application for approval of your secure corporate payment process before implementing the process. FCA guidance dictates that they must be satisfied that the process and protocols guarantee at least the equivalent level of security to those provided by the PSRs before they approve it.

Compliancy Services is one of the UK’s leading providers of regulatory compliance services to firms that provide payment services and issue e-money. We are highly experienced in assisting firms, including those from the EEA or further afield, with their ongoing compliance obligations, including GABRIEL/RegData Returns and REP018 Risk Assessments.

If you need support in preparing a REP018 Risk Assessment and/or an application for the ‘corporate payment exemption’, please do get in contact, we would be happy to help. You can find more about our services advice and resources by visiting our Payment Services area.