PSD2: Effectiveness of RTS on SCA resulted in an audit requirement

What is the optimal way of getting ready?

Regulatory Technical Standards (RTS on SCA), the key part of the new Payment Services Directive (PSD2) introducing significant changes to the European market of payment services, came into effect on 14 September 2019. What are the practical implications for banks?

The relevant provisions of PSD2 and RTS on SCA stipulate a number of requirements to be applied by payment service providers in order to implement security measures, namely relating to strong customer authentication and disclosure of client data to third parties through API (Application Programming Interface). 

Payment service providers vs. audits

Meeting the obligations arising from the RTS on SCA includes an audit of security measures (methods), which is compulsory for all payment service providers. Another type of audit is the audit of methodology, model and reported fraud rates to which payment service providers are subject if they apply an exception to the strong customer authentication based on a transaction risk analysis (TRA) in real time. 

The audit of security methods should be performed by a functionally independent auditor with expertise in IT security and payments. The audit frequency is defined with respect to the relevant framework for the statutory audit of financial statements that applies to payment service providers.   

When using an exception to SCA application based on TRA, the audit of methodology, model and reported fraud rates should be made by an independent and qualified external auditor during the first year of application and then at least once in three years. After that, a review by an independent auditor with expertise in IT security and payments should be made at least once a year.

Time axis of audits


Deloitte services also cover an optional pre-audit

Deloitte services cover both types of compulsory audits arising from the RTS on SCA to be made by experts in IT security and payments who will cooperate with a qualified auditor from Deloitte Audit in respect of TRA. 

At the same time, Deloitte provides an opportunity to use the optional pre-audit services. Pre-audits provide a valued added as they outline the requirements applicable to payment service providers, identify the level to which the requirements are met, and recommend steps to be made in order to remove any weaknesses identified and achieve full compliance with the regulation before the official audit. 

Deloitte’s strengths namely include extensive experience in the implementation of PSD 2 and RTS on SCA requirements in banks and other institutions in the Czech Republic and across Europe as well as professional knowledge of banking, audit, IT security and payment services.

Deloitte service offering: Three types of audit to be performed independently

Did you find this useful?