Regulatory technical standards for strong customer authentication (the “RTS to SCA”), which entered into force on 14 September 2019, brought about a number of new obligations to payment service providers, including banks and payment institutions. Although the media mention, in particular, new obligations related to the requirements for strong customer authentication, in particular when initiating electronic payments (whether it is card payments in the store, the purchase of goods in an e-shop, entering an order in online banking or other acts), which must newly be a two-factor one (i.e. consisting of a combination of two or more elements from the category of ‘knowledge’, ‘possession’ and ‘inherence’), the above regulation also brings about new obligations of a purely internal nature. Specifically, the obligation to carry out internal audits, namely the audit of security measures (“audit of security measures”) as well as an audit of the way in which the so-called transaction risk analysis (“TRA audit”) is carried out. What are these two types of audits about and what is their substance?
The issue of audits is regulated in the RTS on SCA in two articles only, namely Article 3 and Article 19(2), whereby these provisions are so general that in relation thereto several questions have been sent to the European Banking Authority (the “EBA”) to clarify their interpretation. Since audit reports on both types of audits are to be submitted only upon the request of the national regulator (in the case of the Czech Republic, the Czech National Bank), it would be desirable for the regulator to closely specify certain issues further in the interest of legal certainty. Some of these ambiguities, to which we do not yet know the answer, are mentioned below, in particular as regards the form of output and the expected timeframe of audits.
Who does the obligation to carry out audits concern?
The obligation to carry out the audit of security measures is based on Article 3 of the RTS on SCA, which obliges payment service providers to review their security measures under Article 1 of the RTS to SCA. Specifically, it concerns the obligations relating to the implementation of strong authentication and the exemptions from this obligation (if a payment service provider has chosen to implement them voluntarily), the obligations related to the integrity and confidentiality of security data of payment service users, as well as common and secure open communication standards between payment service providers. Compared to the audit of security measures, the TRA audit is mandatory only for those payment service providers who voluntarily decided to implement the exemption from strong authentication in the form of a transaction risk analysis. The TRA audit is then to specifically examine the methodology, model and reported fraud rate. To put it simply, it is primarily there to control what transactions are or vice versa are not included in the formula for calculating the fraud rate, which is a borderline for a certain maximum amount of the financial transaction in order to apply the exemption from strong authentication.
As regards the requirements for the person carrying out the audit, it has to, in the case of auditing security methods and in the case of the TRA audits, have expertise in the field of information technology security and payments, while at the same time be functionally independent of the payment service provider. It should therefore not be the person who assisted with the implementation of the audited measures. In any event, the person carrying out the audit may be the internal auditor of the provider itself. In this respect, we thus perceive the auditor’s designation in Article 3 of the RTS as a legislative acronym, i.e. that the auditor may, in the relevant case, be anyone who has the above-mentioned expertise and is functionally independent of the provider. The exception to this rule is the first and then in order each third TRA audit, which must, on the contrary, be carried out by an independent and qualified external auditor. Of course, this auditor must also have the above knowledge.
Audit report: when to be drawn up and in what form
The RTS to SCA does not then impose a specific form of audit report with regard to any of the audits. However, we believe that the audit report should at least show what potential deficiencies have been identified for the obliged entity, i.e. the form of the so-called differential analyses should be sufficient for the intended purpose. As regards the TRA audit carried out by an external auditor, the relevant form should be based on standards imposed on the outputs of auditors in the Czech Republic.
Perhaps the biggest ambiguity about the new audit obligations remains their timing or the moment when the audit report must be drawn up at the latest. Both types of audits are to be carried out annually. As regards the TRA audit, the audit report shall be drawn up no later than one year after the implementation of the exemption from strong authentication. Therefore, where the provider has implemented the exemption from strong authentication as of the effectiveness of the RTS on SCA, it shall draw up the audit report by 14 September 2020 at the latest. However, more complicated is the question of the obligation to draw up an audit report on the audit of security measures, when the audit period is to be determined taking into account the relevant framework for accounting and statutory audit for the payment service provider concerned. In view of the fact that for all payment service providers the subject of the audit of security measures will be compliance with the obligations under the RTS to SCA as of 14 September 2019 when the RTS on SCA came into effect, and the generally applicable accounting period lasts 12 calendar months, it is not quite clear when the historically first audit is to be done and what period it should cover. One option is to audit the period from 14 September 2019 to 31 December 2019 provided the historically first audit report on security measures will be drawn up in the first half of 2020. Another option is to connect the entire section of 3-month effectiveness of the RTS to SCA in 2019 with the period of calendar year 2020, with the audit report being only drawn up in the first half of 2021.
The interpretation of the RTS to SCA relating to the audit obligations of payment service providers is merely a fragment in a number of ambiguities that this regulation brings about. The hope is that the EBA or national regulators will bring more light into the above-mentioned uncertainties soon.