SUP 16.13 Reporting under the Payment Services Regulations
Application
1This section applies to a payment service provider as set out in this section3 (see SUP 16.1.1A D).
Purpose
The purpose of this section is to: 3
- (1)
give directions to authorised payment institutions, small payment institutions and registered account information service providers under regulation 109(1) (Reporting requirements) of the Payment Services Regulations in relation to:3
1212- (a)
the information in respect of their provision of payment services and their compliance with requirements imposed by or under Parts 2 to 7 of the Payment Services Regulations that they must provide to the FCA; and3
- (b)
the time at which and the form in which they must provide that information and the manner in which it must be verified;3
- (a)
- (2)
give directions to payment service providers under regulation 109(5) (Reporting requirements) of the Payment Services Regulations in relation to the form of the statistical data on fraud relating to different means of payment that must be provided to the FCA under regulation 109(4) of the Payment Services Regulations at least once per year;3
- (3)
give directions to payment service providers under regulation 98(3) (Management of operational and security risks) of the Payment Services Regulations in relation to:3
- (a)
the information that must be contained in the assessment of operational and security risks and the adequacy of mitigation measures and control mechanisms that must be provided to the FCA;3
- (b)
the intervals at which that assessment must be provided to the FCA (if the assessment is required to be provided more frequently than once a year); and3
- (c)
the form and manner in which that assessment must be provided; and3
- (a)
- (4)
give directions to EEA authorised payment institutions under regulation 30(4) of the Payment Services Regulations in relation to:3
- (a)
the information that they must provide to the FCA in respect of the payment services they carry on in the United Kingdom in exercise of passport rights; and3
- (b)
the time at which and the form in which they must provide that information and the manner in which it must be verified.3
- (a)
3The purpose for which this section requires information to be provided to the FCA under regulation 109 of the Payment Services Regulations is to assist the FCA in the discharge of its functions under regulation 106 (Functions of the FCA), regulation 108 (Monitoring and enforcement) and regulation 109(6) (Reporting requirements) of the Payment Services Regulations.
2The purpose of this section is also to set out the rules applicable to payment service providers3 in relation to complete and timely reporting and failure to submit reports.
3Authorised payment institutions and small payment institutions should refer to the transitional provisions in SUP TP 1.11 (Payment services and electronic money returns).
Reporting requirement
- (1)
An authorised payment institution, a small payment institution , an EEA authorised payment institution or a registered account information service provider3 must submit to the FCA12 the duly completed return applicable to it as set out in column (2) of the table in SUP 16.13.4D.
2212 - (2)
An authorised payment institution, a small payment institution or a registered account information service provider3 must submit the return referred to in (1):
- (a)
in the format specified as applicable in column (3) of the table in SUP 16.13.4D;
- (b)
at the frequency and in respect of the periods specified in column (4) of that table;
- (c)
by the due date specified in column (5) of that table; and
- (d)
by electronic means made available by the FCA12.
12
- (a)
3SUP 16.4.5R (Annual controllers report) and SUP 16.5.4R (Annual Close Links Reports) apply to an authorised payment institution as if a reference to firm in these rules were a reference to an authorised payment institution.
2SUP 16.3.11 R (Complete reporting) and SUP 16.3.13 R (Timely reporting) also apply to authorised payment institutions, small payment institutions, EEA authorised payment institutions and registered account information service providers3 as if a reference to firm in these rules were a reference to these categories of payment service provider3.
2SUP 16.3.14 R (Failure to submit reports) also applies to payment service providers that are required to submit reports or assessments in accordance with this section and the Payment Services Regulations3 as if a reference to firm in this rule were a reference to the relevant category of payment service provider3.
3Authorised payment institutions, small payment institutions and registered account information service providers are reminded that they should give the FCA reasonable advance notice of changes to their accounting reference date (among other things) under regulation 37 of the Payment Services Regulations. The accounting reference date is important because many frequencies and due dates for reporting to the FCA are linked to the accounting reference date.
The table below sets out the format, reporting frequency and due date for submission in relation to regulatory returns that apply to authorised payment institutions,3 small payment institutions, EEA authorised payment institutions and registered account information service providers3.
(1) |
(2) |
(3) |
(4) |
(5) |
Type of payment service provider3 |
Return |
Format |
Reporting Frequency |
Due date |
Authorised Payment Institution Capital Adequacy Return |
FSA056 (Note 1) |
Annual (Note 2) |
30 business days (Note 3) |
|
Authorised Payment Institution Capital Adequacy Return |
FSA056 (Note 1) |
Annual (Note 2) |
30 business days (Note 3) |
|
Payment Services Directive Transactions |
FSA057 (Note 4) |
Annual (Note 5) |
||
Note 1 |
When submitting the completed return required, the authorised payment institution or registered account information service provider3 must use the format of the return set out in SUP 16 Annex 27CD3. Guidance notes for the completion of the return are set out in SUP 16 Annex 27DG3. |
|||
Note 2 |
This reporting frequency is calculated from an authorised payment institution's or registered account information service provider’s 3 accounting reference date. |
|||
Note 3 |
The due dates are the last day of the periods given in column (5) of the table above following the relevant reporting frequency period set out in column (4) of the table above. |
|||
Note 4 |
When submitting the completed return required, the small payment institution must use the format of the return set out in SUP 16 Annex 28CD3. Guidance notes for the completion of the return are set out in SUP 16 Annex 28DG3. |
|||
Note 5 |
This reporting frequency is calculated from 31 December each calendar year. |
Statistical data on fraud
3Regulation 109(4) of the Payment Services Regulations requires payment service providers to provide to the FCA statistical data on fraud relating to different means of payment.
3This requirement applies to:
3This statistical data on fraud must be submitted to the FCA by electronic means made available by the FCA using the format of the return set out in SUP 16 Annex 27ED. Guidance notes for the completion of the return are set out in SUP 16 Annex 27FG.
3The return set out in SUP 16 Annex 27ED must be provided to the FCA at least once per year. The first return should cover the period beginning on 13 January 2018 and ending on 31 December 2018 and should be submitted by 31 January 2019. Subsequent returns should cover consecutive reporting periods of one year beginning on 1 January and ending on 31 December each year and should be submitted within 1 month of the end of the reporting period.
Operational and Security Risk assessments
4Regulation 98(1) of the Payment Services Regulations provides that each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services it provides.
4Regulation 98(2) of the Payment Services Regulations provides that each payment service provider must provide to the FCA an updated and comprehensive assessment:
- (1)
of the operational and security risks relating to the payment services it provides; and
- (2)
on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
The purpose of SUP 16.13.11G to 16.13.17G is to direct the form and manner of the assessment and the information that the assessment must contain.
4The EBA issued Guidelines on 12 December 2017 on the security measures for operational and security risks of payment services under the Payment Services Directive. The Guidelines specify requirements for the establishment, implementation and monitoring of the security measures that payment service providers must take to manage operational and security risks relating to the payment services they provide.
4Payment service providers must comply with the EBA’s Guidelines on security measures for operational and security risks of payment services as issued on 12 December 2017 where they are addressed to payment service providers.
4The assessments required by regulation 98(2) of the Payment Services Regulations must be submitted to the FCA:
- (1)
at least once every calendar year;
- (2)
in writing, in the form specified in SUP 16 Annex 27GD, and attaching the documents described in that form; and
- (3)
by electronic means made available by the FCA.
4Payment service providers should submit the form and the assessments to the FCA in accordance with SUP 16.13.13D(2) as soon as practicable after the assessments have been completed.
4Payment service providers may provide operational and security risk assessments to the FCA on a more frequent basis than once every calendar year if they so wish. Payment service providers should not, however, submit such assessments more frequently than once every quarter.
4Subject to the requirements in SUP 16.13.13D, payment service providers should submit a nil return for each quarter in which they do not make a submission to the FCA.
4Payment service providers should note that article 16(3) of Regulation (EU) No. 1093/2010 also requires them to make every effort to comply with the EBA’s Guidelines on security measures for operational and security risks of payment services.