9. Payments (New)

Why is it important?

The payments market has been undergoing significant disruption in the last few years. Regulatory scrutiny remains high, as firms develop new payment strategies and respond to increasing compliance requirements. Recent instances of payment system-related outages and cyber-attacks have also attracted a lot of attention. The Revised Payment Services Directive (PSD2) has been in force in the UK since 2018, and firms are continuing on their journey to fully adapt their customer propositions and technology operating models. Two of the most impactful areas of PSD2 were governed by the requirements set out within the Regulatory Technical Standard (RTS) and are as follows:

• The requirement to use Strong Customer Authentication (SCA) for electronic payments; 
• The Open Banking requirements, namely allowing Third Party Providers (TPPs) access account information and initiate payments on behalf of customers through dedicated interfaces powered by Application Programming Interfaces (APIs) or through Modified Customer Interfaces (MCIs).
   

What’s new?

Organisations are required to ensure that their implementation of the above PSD2 requirements is well governed, documented, periodically tested, evaluated and audited by operationally independent auditors with expertise in IT security and payments processes. Firms are in the process of preparing their review for their first full fiscal accounting year which, for the majority, will be December 2020 or March 2021 year ends.

Furthermore, to counter cyber-attacks on the SWIFT network, SWIFT introduced the Customer Security Programme (CSP) as a mandatory compliance initiative for the global SWIFT community, consisting of core security standards and an assurance framework applicable to all members - not limited to financial service organisations.

What should Internal Audit be doing?

Internal Audit will have a key role to play in providing assurance that organisations adapt and develop their payment offerings and comply with the evolving regulatory requirements. Specifically:

Payment Services Directive (PSD2)

• We see many reviews against the Regulatory Technical Standard being performed by Internal Audit functions that meet the independence and expertise requirements. Functions should be aware of these requirements, and build such reviews into their audit plan for 2021. 
• A risk assessment and prioritisation of coverage may be needed, as the review requirements may generate a significant volume of work, depending on the number and complexity of firms’ operations and channels. This is driven by the broad applicability of PSD2 across any channel offering access to “payment accounts” (including cards) across any customer segment (i.e. Retail, Business, Corporate, Private Banking etc.), and across all electronic customer channels, such as internet banking, mobile apps, firm provided software, enterprise software integrations, other software integrations embedded through APIs or other interfaces, and “Open Banking” channels.

SWIFT Customer Security Programme

• Under the CSP, SWIFT users have to submit an annual self-attestation to SWIFT on the result of their independent assessment against a list of mandatory controls upon an organisation’s SWIFT-related infrastructure. Results of compliance are recorded centrally at SWIFT and non-compliance would therefore be visible to any SWIFT counterparties an organisation deals with. The attestations can be facilitated by Internal Audit or by an external provider, but we see increasingly Internal Audit functions driving these, in many cases using external specialist co-source support.
• SWIFT released an Independent Assessment Framework for 2020, which is designed to support users in verifying that their self-attestations correspond with their actual level of security control implementation, however due to COVID-19 pandemic, these new self-attestations will apply from mid-2021.