Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Stephen Watkins, IT and InfoSec expert at leading financial services compliance firm fscom, explores the need for greater awareness of REP018 ahead of the FCA deadline for report submissions.

Discussing reporting obligations with our payments clients recently has revealed a lack of awareness of REP018, a report driven by the requirements of the second payment services directive (PSD2). PSD2 included Article 95(2), which requires payment services providers (PSPs) to report to the competent authority with an operational and security risk assessment. So, what is REP018 and why has it caught so many by surprise?

The rationale and the history

Stephen Watkins

Stephen Watkins

There has always been a requirement to assess the risks to your business and show the FCA that you are alive to the weaknesses in your business, having taken steps to manage, control and strengthen those weaknesses.

However, PSD2 ups the ante, and quite reasonably so. Globally, we have come to realise our vulnerability to attack. A recent example: the data breach hack into British Airways (BA) where details of thousands of customers who booked flights on the airline’s website had their information, worth potentially millions to criminals, stolen. BA has suffered damage to its reputation and has voluntarily paid out compensation but there may yet be further fallout if the Information Commissioner’s Office decides to impose a fine or even ban them from processing personal data (effectively halting their operations). At an event I attended recently, it was said that for every £10 spent defending against attacks it only costs 10p to attack. That’s a major disadvantage in protecting your valued assets.

And so, in PSD2, the European Banking Authority (EBA) was commissioned to produce guidelines on security measures for operational and security risks. After consultation, they published their final guidelines last December.

Since the EBA guidelines were still outstanding when the approach document and reporting returns were first published, there was no further information provided until the FCA consulted in March. The finalised REP018 was published in July along with accompanying guidance in chapter 13 in the FCA’s approach document.

What is REP018?

REP018 is the operational and security risk report that all PSPs must complete, that means all credit institutions, payment institutions, e-money institutions (whether authorised or registered) and registered account information service providers.  It must be completed at least annually however it can be submitted as frequently as every quarter. The report must be submitted on GABRIEL, unless you are an electronic money institution in which case you should email the excel sheet to the FCA. The report requires each PSP to provide the latest risk assessment, their analysis of the findings, details of the latest audit and the number of security related customer complaints. So, what is involved in producing and maintaining a risk assessment, that is suitable for use and reporting to the FCA?

Undertaking the risk assessment

Identifying your organisation’s weaknesses begins with establishing the risk assessment methodology; you have to decide whether you want a qualitative or quantitative risk assessment. In my view, a quantitative approach is ideal for time- and budget-bound single-purpose project because the costs of the risks materialising can be calculated. Conversely, the costs are very difficult to quantify for enterprise-wide assessments that are conducted on an ongoing basis and the qualitative approach is more suitable.

Once you have identified a risk assessment methodology you can start the first step of the risk assessment, which is identifying the risks. Arguably, this is the most important part of this process since an undiscovered risk is, by default, an accepted risk without mitigation. The operational aspect means everything – HR, finance, IT, customer services, payments team, even catering (if you have such a department!).

After identifying the risks, you must assess the impact the risk would have on your business if it crystallised, and the likelihood of it happening. A risk matrix will allow you to map and accurately assess the identified risks by considering likelihood against impact. In my experience, companies are usually aware of only around 30% of their risks. You will likely find this exercise reveals more about your business than you were previously aware; after you’re finished, you’ll start to appreciate the effort made.

It’s finally time to take some action and decide what to do with these risks; you can approach this either on a cyclical basis or a risk basis. We advise a risk basis as not all risks are created equal and resources are not infinite – therefore, focus on the most important ones. There are four options for dealing with an identified risk:

  • Tolerate (accept) – it is within your organisation’s level of risk acceptance.
  • Terminate (reject) – cease the activity or change the process that is causing the risk.
  • Transfer (usually through insurance) – think cyber insurance.
  • Treat (control) – apply a control or risk mitigation process to reduce the risk.

If you have decided to treat or transfer the risk, then you will re-score the risk in light of the treatment.

After re-assessing the risks, an action plan must be formulated. Your action plan is carrying out the mitigations you identified earlier to address each weakness. For instance, set a date by which the new policy is to be created and enforced, with follow-up dates for staff training and confirmation that staff have read and agreed to abide by the policy.

Job done?
We have identified our risks, prioritised them, identified a treatment for each risk, that’s it. One more process complete to be placed on a shelf and dusted down sometime later…

Not quite!

A risk assessment is a live document and should be a continuous process, the key to successful enterprise risk management is the response to this plan. Risks that are acceptable now may become unacceptable in the future. A method of determining whether the risk assessment must be changed is the testing. The testing of your controls can be conducted either by going through a hypothetical situation, walkthrough scenario or a live simulation and documenting any lessons learned to improve upon your controls.

Clearly, risk assessments can be undertaken by an internal team, but many find that deploying our expertise to be invaluable because we bring:

  • independencein calibrating the risks across the business;
  • a breadth of experience in benchmarkingagainst others in the industry; and
  • a depth of knowledge that makes us efficientin undertaking the task.

If you require any advice, please do not hesitate to contact me, or any of the team at fscom.

REP018 Infographic

Continue Reading

Recent Posts