Professional Documents
Culture Documents
Offering
Copyright © 2019 Deloitte Central Europe. All rights reserved.
Contents
PSD2 Audits
What are they about?
Audit s form
What will our delivery look like?
Our approach
How do we conduct the audit?
Why Deloitte?
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 2
PSD2 Audits Deloitte provides 3 types of audit which are independent
What are they about? of each other:
The Directive on payment services in the internal market which has Audit of security measures
been published in the Official Journal of the European Union on 23 The security measures corresponding to the new
December 2015 and entered into force on 13 January 2016 and also obligations listed in Article 1 of the RTS must be
repealed the first directive on payment services in the internal market audited by each PSP on a yearly basis.
(„PSD2“) aims to bring about significant improvement in relation to
customer protection, security, as well as transparency of payments.
The delivery of this obligatory audit will have the form of a The delivery of this obligatory audit will be performed by qualified
gap analysis which will cover and fulfil the following: external auditors and the prescribed international standards on
auditing may be used, specifically the following:
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 4
Audit’s form
What will our delivery look like?
The form of our delivery will depend on the type of audit that you wish us to perform. The execution of individual audits is mutually
independent.
Pre-audit
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 5
Performance of audits - timeframe
When exactly are the audits going to be performed?
Audit reporting should be available to Competent authorities upon their request.
TRA audit
during the first year on a yearly basis by auditors every 3 years by an
by making use of the with expertise in IT security independent and
TRA exemption by an and payments qualified external
independent and auditor
qualified external
auditor
Pre-audit
Pre-audit can be prepared before
any of the official audits
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 6
What are we
auditing?
Security measures for the Exemptions from SCA Confidentiality and Common and secure open
application of SCA integrity of the payment standards of
service users personalised communication
security credentials
• Two independent elements • Review of meeting • Mask personalised security • Requirements of a dedicated
(knowledge, possession, requirements for the credentials interface (API) - Review of
inherence) exemptions to SCA (check of solution
• Storage of client credentials
sample of transactions)
• Check independence of the
• Review creation and transmission of
elements • How counters for SCA
credentials
application work
• Communication of incorrect
• Review association with the
elements when authentication
payment service user
failed
• Review delivery of credentials and
• Blocking rules
authentication devices
(temporarily/permanently block
user´s actions) • Review renewal of credentials
• clear classification of transaction fraud • transaction initiated via ATM, Call Centre,
types Post-office, Bank Branch, Email, face-to-
face POS or transactions initiated
• Related processes and methodologies
personally with banker
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 9
Pre-audit
What is the scope and purpose of a pre-audit?
Do you want to know if you are fully compliant with the PSD2 / RTS regulation before official audits?
Deloitte offers checks of compliance with regulatory requirements before official audits.
Serve as a foundation for potential rectification of all insufficiencies found; before audits are
officially provided.
Providing a detailed report on what the official audits are focused on.
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 10
Our approach
• Questionnaire to identify scope of the audit • Fixed price determination • Compliance audit requires a different
approach:
• Price depends on:
Review of the provided documentation
Number of channels that clients perform
remote transactions Source code verification
Number of exemptions from SCA that are • In some cases one of the approaches will be
applied used, other cases require a combination
• Providing answers to the Deloitte PSD2 Scan • Providing documentation, source codes, and
questions on the PSD2 RTS development, enabling testing in production
security
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 12
Why Deloitte?
Revenue
Deloitte is the number one professional services $14.5B
provider worldwide, structured to deliver excellence EMEA
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 14
Why Deloitte?
What does Deloitte have to offer?
We have been providing comprehensive technological and legal advisory services in the PSD2/RTS area for major Czech companies,
International banks, and other companies.
We know the We bring our We have wide We have a well We bring our
banking industry industry insights experience educated and previous
and know the and helping clients in experienced team experience with
processes & comprehensive implementing in PSD2/RTS audit policies and
regulations. You knowledge of the requirements analyses. procedures to
can rely on our IT/security area introduced by prove compliance
unique expertise and PSD2/RTS PSD2 and RTS with PSD2 and EBA
in the market. regulation SCA legislative to guidelines.
gained through ensure full
our delivered compliance.
projects.
Copyright © 2019 Deloitte Central Europe. All rights reserved. PSD2 Audits 15
PSD2 Audits Team Contacts
This publication contains general information only, and none of the member As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary
firms of Deloitte Touche Tohmatsu Limited, its member firms, or their related of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description
entities (collective, the “Deloitte Network”) is, by means of this publication, of the legal structure of Deloitte USA LLP, Deloitte LLP and their respective
rendering professional advice or services. Before making any decision or taking subsidiaries. Certain services may not be available to attest clients under
any action that may affect your business, you should consult a qualified the rules and regulations of public accounting.
professional adviser. No entity in the Deloitte Network shall be responsible for
any loss whatsoever sustained by any person who relies on this publication. Copyright © 2019 Deloitte Development LLC.
All rights reserved. Member of Deloitte Touche Tohmatsu Limited