PSD2 Audits

Offering
Copyright © 2019 Deloitte Central Europe. All rights reserved.
 Contents
PSD2 Audits
What are they about?

Audit s form
What will our delivery look like?

Performance of audits – timeframe

When exactly are the audits going to be performed?

What are we auditing?

What is the scope of audits?

Our approach
How do we conduct the audit?

Why Deloitte?

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 2
PSD2 Audits
What are they about?
The Directive on payment services in the internal market which has
been published in the Official Journal of the European Union on 23
December 2015 and entered into force on 13 January 2016 and also
repealed the first directive on payment services in the internal market
(„PSD2“) aims to bring about significant improvement in relation to
customer protection, security, as well as transparency of payments.
As a result, there are new obligations to be followed by each
individual payment service provider („PSP“). Among those, as
stipulated by the Commission Delegated Regulation 2018/389
concerning strong customer authentication and common and secure
open standards of communication („RTS“), are audits of specific
security measures implemented as well as the methodology, model
and reported fraud rates, if the PSP chooses to apply the transaction
risk analysis („TRA“) as an exemption to the strong customer
authentication („SCA“).
The performance of these audits might be optionally preceded by pre-
audits to make sure that the PSP remedies all identified gaps before
the two mandatory audits are conducted.
Copyright © 2019 Deloitte Central Europe. All rights reserved.
Deloitte provides 3 types of audit which are independent
of each other:
Audit of security measures
The security measures corresponding to the new
obligations listed in Article 1 of the RTS must be
audited by each PSP on a yearly basis.
TRA audit
TRA as an exemption to the SCA might be applied by
a PSP on a voluntary basis. Should the PSP decide to
apply the exemption, the minimum yearly audit of
the methodology, model and reported fraud rates
must be conducted.
Pre-audit
Deloitte offers its clients the option of performing
preliminary audits consisting of both security
measure adoption as well as the methodology, model
and reported fraud rates relating to the TRA
exemption. Despite being fully optional and
voluntary, these audits serve as a useful preparation
for legally required audits.
Audit’s form
What will our delivery look like?
The form of our delivery will depend on the type of audit that you wish us to perform. The execution of individual audits is mutually
independent.

Security measures audit TRA audit If TRA exemption is applied

The delivery of this obligatory audit will have the form of a The delivery of this obligatory audit will be performed by qualified
gap analysis which will cover and fulfil the following: external auditors and the prescribed international standards on
auditing may be used, specifically the following:

High level description of as-is status of

ISAE 3000 standard
compliance

Red-flag evaluation of compliance per individual applicable

obligations stemming from RTS, guidelines, or interpretations of the Appendix containing a detailed description of insufficiencies found
Czech National Bank or European Banking Authority

Overall evaluation of compliance per individual areas

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 4
Audit’s form
What will our delivery look like?
The form of our delivery will depend on the type of audit that you wish us to perform. The execution of individual audits is mutually
independent.

Pre-audit

Pre-audit may precede both statutory audits. The delivery of this

fully optional audit will have the form of a gap analysis which
will cover and fulfil the following:

High level description of as-is status of

compliance

Red-flag evaluation of compliance per individual applicable

obligations stemming from RTS, guidelines, or interpretations of the
Czech National Bank of European Banking Authority

Recommendations of how to achieve compliance should any

insufficiencies be found

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 5
Performance of audits - timeframe
When exactly are the audits going to be performed?
Audit reporting should be available to Competent authorities upon their request.

2020 2021 2022 2023

TRA audit
during the first year on a yearly basis by auditors every 3 years by an
by making use of the with expertise in IT security independent and
TRA exemption by an and payments qualified external
independent and auditor
qualified external
auditor

Audit of security measures

first year and thereafter annually by
auditors with expertise in IT security and
payments

Pre-audit
Pre-audit can be prepared before
any of the official audits

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 6
What are we
auditing?

Copyright © 2019 Deloitte Central Europe. All rights reserved.

Audit of security measures
What is the scope of the security measures audit?
This audit shall present an evaluation and report on the compliance of the payment service provider's security measures with the
requirements described in Article 1 of the RTS.

Security measures for the Exemptions from SCA Confidentiality and Common and secure open
application of SCA integrity of the payment standards of
service users personalised communication
security credentials
• Two independent elements • Review of meeting • Mask personalised security • Requirements of a dedicated
(knowledge, possession, requirements for the credentials interface (API) - Review of
inherence) exemptions to SCA (check of solution
• Storage of client credentials
sample of transactions)
• Check independence of the
• Review creation and transmission of
elements • How counters for SCA
credentials
application work
• Communication of incorrect
• Review association with the
elements when authentication
payment service user
failed
• Review delivery of credentials and
• Blocking rules
authentication devices
(temporarily/permanently block
user´s actions) • Review renewal of credentials

• Maximum time of active • Review destruction, deactivation,

session and revocation of credentials

• Dynamic linking • Definition of security credentials

(Password, OTP, access token,
refresh token, client secret, client

Copyright © 2019 Deloitte Central Europe. All rights reserved.

ID, redirect URI, API key, code) PSD2 Audits 8
TRA audit
What is the scope of the TRA audit?
Banks that have applied the strong customer authentication exemption called TRA, must perform an internal and external audit for the
methodology, model, and reported fraud rates.
Calculation methodology
• Review the method of data gathering
(involved systems such as DWH, CRM,
reports; steadiness and timing of data
collection)
• Day of starting fraud rate calculation
• Review the quality and completeness of the
data collected
• each transaction must have a special
attribute clearly indicating the initiation
channel
• each transaction must have an attribute
clearly indicating whether or not the
attempt was unauthorised (e.g. due to
processing error)
• clear classification of transaction fraud
types
• Related processes and methodologies
Copyright © 2019 Deloitte Central Europe. All rights reserved.
Calculation model
• Review of the fraud rates calculation formula
• Transactions included in the fraud rate
calculation
• two-leg remotely initiated electronic
card-based transactions
• remotely initiated credit transfers,
electronic payments from one bank
account to another based on an
instruction given by the payer
• unauthorised and fraudulent transactions
• Transactions excluded from the fraud rate
calculation
• friendly fraud transactions
• transaction initiated via ATM, Call Centre,
Post-office, Bank Branch, Email, face-to-
face POS or transactions initiated
personally with banker
Fraud rates
• Calculation process review
• Fraud rates result calculation review
• Fraud rate documentation check for both
transaction types: remote electronic
card-based payments and remote
electronic credit transfers
• Reference fraud rate must be calculated
every quarter
• Monitoring of fraud rate results in last
two consecutive quarters, which mustn't
exceed the referred fraud rate applicable
for relevant types of payment
PSD2 Audits 9
Pre-audit
What is the scope and purpose of a pre-audit?
Do you want to know if you are fully compliant with the PSD2 / RTS regulation before official audits?

Deloitte offers checks of compliance with regulatory requirements before official audits.

Serve as a foundation for potential rectification of all insufficiencies found; before audits are
officially provided.

Providing a commentary on assessment, including reasoning and recommendation as to what

steps should be taken to achieve full compliance.

Providing a detailed report on what the official audits are focused on.

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 10
Our approach

Copyright © 2019 Deloitte Central Europe. All rights reserved.

Our approach
How do we conduct the audit?
The audits are based on the materials provided by the client. Deloitte requires client cooperation.

Price Audit of PSD2/RTS

Deloitte PSD2 Scan determination requirements

• Questionnaire to identify scope of the audit • Fixed price determination
• Price depends on:
 Number of channels that clients perform
remote transactions
• Compliance audit requires a different
approach:
 Review of the provided documentation
 Source code verification

 Number of security methods  Testing in production

 Number of exemptions from SCA that are • In some cases one of the approaches will be
applied used, other cases require a combination

• Total required time for audit is 3 to 9 weeks

according to the scope of the audit
Your involvement

• Providing answers to the Deloitte PSD2 Scan • Providing documentation, source codes, and
questions on the PSD2 RTS development, enabling testing in production
security

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 12
Why Deloitte?

Copyright © 2019 Deloitte Central Europe. All rights reserved.

Why Deloitte?
Deloitte profile
We are recognised as the global leader in professional services, providing best-in-class services in the field of strategy, operations and
technology consulting.

Revenue
Deloitte is the number one professional services $14.5B
provider worldwide, structured to deliver excellence EMEA

across a broad range of industries and areas. Over

280,000 people in more than 150 countries
throughout the world collaborate since 1845 to
provide audit & assurance, consulting, financial advisory,
risk advisory, and tax, and legal services to selected
clients. Revenue
$22.1B
Americas Revenue
$6.6B
Asia Pacific
Total headcount New hires Revenue in US$
in
286,200 77,390 $43.2B 2018

Serve our clients with Inspire our people to

quality and distinction deliver value

Deloitte is named a global leader in Finance Operations and Innovation

Consulting based on breadth and depth of capabilities Contribute to society Lead the profession
Source: ALM Intelligence; Innovation Strategy Consulting 2018; ALM
Intelligence estimates © 2018 ALM Media Properties, LLC. Reproduced under
license

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 14
Why Deloitte?
What does Deloitte have to offer?
We have been providing comprehensive technological and legal advisory services in the PSD2/RTS area for major Czech companies,
International banks, and other companies.

We know the We bring our We have wide We have a well We bring our
banking industry industry insights experience educated and previous
and know the and helping clients in experienced team experience with
processes & comprehensive implementing in PSD2/RTS audit policies and
regulations. You knowledge of the requirements analyses. procedures to
can rely on our IT/security area introduced by prove compliance
unique expertise and PSD2/RTS PSD2 and RTS with PSD2 and EBA
in the market. regulation SCA legislative to guidelines.
gained through ensure full
our delivered compliance.
projects.

Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 15
PSD2 Audits Team Contacts
Radek Musílek
Senior Managing Associate | FSI
Ambruz & Dark Deloitte Legal s.r.o.
rmusilek@deloittece.com
This publication contains general information only, and none of the member
firms of Deloitte Touche Tohmatsu Limited, its member firms, or their related
entities (collective, the “Deloitte Network”) is, by means of this publication,
rendering professional advice or services. Before making any decision or taking
any action that may affect your business, you should consult a qualified
professional adviser. No entity in the Deloitte Network shall be responsible for
any loss whatsoever sustained by any person who relies on this publication.
Tomáš Huml
Senior Manager | FSI Technology
Deloitte Advisory s.r.o.
thuml@deloittece.com
As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary
of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description
of the legal structure of Deloitte USA LLP, Deloitte LLP and their respective
subsidiaries. Certain services may not be available to attest clients under
the rules and regulations of public accounting.
Copyright © 2019 Deloitte Development LLC.
All rights reserved. Member of Deloitte Touche Tohmatsu Limited