What Does the RTS on SCA Bring with Regard to Statutory Audits?
Regulatory technical standards for strong customer authentication (the “RTS to SCA”), which entered into force on 14 September 2019, brought about a number of new obligations to payment service providers, including banks and payment institutions. Although the media mention, in particular, new obligations related to the requirements for strong customer authentication, in particular when initiating electronic payments (whether it is card payments in the store, the purchase of goods in an e-shop, entering an order in online banking or other acts), which must newly be a two-factor one (i.e. consisting of a combination of two or more elements from the category of ‘knowledge’, ‘possession’ and ‘inherence’), the above regulation also brings about new obligations of a purely internal nature. Specifically, the obligation to carry out internal audits, namely the audit of security measures (“audit of security measures”) as well as an audit of the way in which the so-called transaction risk analysis (“TRA audit”) is carried out. What are these two types of audits about and what is their substance?