Governance and conduct series PSD2

Video | May 2018 | 4:56
Transcript
Christian Blackwell: Hello. We're a few weeks after the implementation of PSD2, and I'm here today with Jon Davison, to talk about five things that you should revisit now, in the light of that regulatory change.  John, the first one I want to turn to is the robustness of IT.  What can you tell me about that?
John Davison: Well, I think the fundamental change in PSD2 is about strong customer authentication. And whilst that is very clearly prescribed in the requirements, embedding that in IT systems isn't necessarily as easy and simple.  And for me, I would look really at two things.  I think, number one, is it embedded properly, but across all different payment systems, and payment flows.  And secondly, the important thing, of course, is that staff members operating things like that understand what the requirements are, how the systems work, and that they're trained accordingly.
Christian Blackwell: Cyber-security is another area that's very important in light of regulatory change. What could you tell me about that?
John Davison: I mean, cyber risk is increasing all the time, and cyber-risk is no greater risk than in a payment process. So, to my mind, whilst organisations will probably have a lot of focus on cyber, and a lot of controls in place to mitigate that risk, any change in a payment process, by definition, puts threat on the cyber controls.  So, to my mind, I would be looking at how cyber is analysed, how the threats are analysed, what the changes in payment systems have done, and just put end to end the cyber and payment controls together, just to make sure that there are no kinks in that, as part of your post-implementation review.
Christian Blackwell: And the change may have had an impact on an organisation's strategy. What should organisations be doing to get to grips with that?
John Davison: Really, I think, firstly, two things. So, I think, for me, PSD2 implementation may have had a fairly long lead-in time, and strategy business models, approaches to engaging with customers in a payment context, may well have evolved from the time preparation for PSD2 started and the early part of January.  So, I think revisiting decisions that were made in the early implementation phase, and looking at the consequences on that, would be a good thing to do as part of a post-implementation, and then actually looking at full coverage.  So, are all payment systems covered, all payment flows covered, is there sufficient focus on international payments?  So, it's a bit about coverage, and it's a bit about strategy and process evolving quicker than the PSD2 implementation project has been able to catch up with it.
Christian Blackwell: And that links very much to the fourth point I wanted to cover, in terms of how the PSD2 regulation links with other regulations.
John Davison: Well, I think the obvious nexus is to GDPR here. So, international payments obviously, an international data cross-border sharing have a direct correlation.  I think whenever you're capturing personal data, authentication data as well, that links directly to GDPR, which actually has a much broader coverage, in terms of where its personal data might be stored.  So, for me, there's something about PSD2 implementation in its own right, yes, but as part of any post-implementation work, as organisations prepare for GDPR, there's the opportunity to evaluate your GDPR programme, and the way in which personal data is being captured in line with your post-implementation review of PSD2, which will actually help with the efficiency in terms of both programmes.
Christian Blackwell: And finally, how can we ensure sustainability of compliance around PSD2?
John Davison: I think there's a couple of real fundamental things, you know, policies, procedures, controls.   Not just are they compliant, but do they actually take into account the way in which processes operate today?  Have they been updated, has everybody been trained?  We've talked a number of times about board reporting and governance in other videos, and for me, in that regard, are PSD2 related issues properly finding their way through in terms of governance and issue-related matters?  So, for me, there's a post-implementation bit, which is just to validate everything is embedded, but then it's ensuring that the day-to-day protocols don't just meet the minimum standards, but actually align with the process changes that happened as part of PSD2.
Christian Blackwell: Thank you very much, John. Until the next time.

Contacts