How should payment actors prepare ?
The priority for PSPs is to embed the applicable elements in strategic roadmaps and to:
- Identify concerned functions: the scope of the regulatory developments will most probably require the involvement of all functions within the organization (Business, Legal, Risk, Compliance, Finance,…);
- Conduct impact assessments: identify and size the changes in existing processes, IT developments, security testing, business opportunities, review of customer journeys etc.;
- Prioritize and plan developments to include these in the current strategic planning of the organization;
- Assess budget and capabilities required for roll-out and change.
These regulations will also require PSPs to strengthen the IT and security risk management measures related to payment flows. In this matter, PSPs should ensure they dispose of an end-to-end view of all their payment flows, by comprehensively documenting their technical architecture, dependencies between IT assets, but also the underlying business and technical rules, security controls and protocols used.
Finally, PSPs should keep in mind that compliance with regulatory requirements will be evolving through time and at the pace of PSPs’ business developments. This is why, it cannot be seen as a one-off exercise. Instead, PSPs should implement adequate measures to have a 360° view on their compliance, and to remain in control in this domain. This should be achieved through:
- Continuous compliance monitoring : compliance monitoring activities should capture each business initiative before its launch, to assess the impact it might have on the PSP’s compliance with regulatory requirements;
- Regular enterprise-wide compliance assessment and reporting : as most regulatory challenges will impact several departments, it is key to ensure these are conducted at the level of the organization, and not in silos, to capture all dependencies. Also, regular compliance assessments should enable the organization to maintain a 360° view and to report to the executive management and Board at least on a yearly basis;
- Adequate governance: compliance monitoring and assessment can only be achieved when supported by adequate governance measures, where roles and responsibilities are clearly identified throughout the organization and where compliance by design is embedded in the business targets and objectives.
Upcoming regulatory developments will continue to shake the payment industry in the European Union. It is urgent for banks and other PSPs to assess the challenges and opportunities that PSD3, Open Finance Framework, Instant Payments, MiCA and Buy Now Pay Later will represent for their organization.
Do not hesitate to contact us, should you wish to discuss the detailed requirements or seek any assistance in this respect.