Supervision release 14 February 2018 – 9/2018

Amendment of Regulations and guidelines 8/2014 and 8/2016

The Financial Supervisory Authority (FIN-FSA) amends Regulations and guidelines 8/2014 Management of operational risk in supervised entities of the financial sector and Regulations and guidelines 8/2016 Payment institutions and persons providing payment services without authorisation.

The regulations and guidelines are amended to correspond to amended legislation and they take into account guidelines issued by the European Banking Authority (EBA). The aim has been to make only essential changes in terms of the regulatory framework to the Regulations and guidelines.

Regulations and guidelines 8/2014, Management of operational risk in supervised entities of the financial sector

The most significant changes to Regulations and guidelines 8/2014 relate to management of payment service providers’ operational and security risks as well as reporting of major payment service incidents. The FIN-FSA recommends that payment service providers comply with the EBA’s Guidelines on the Security Measures for Operational and Security Risks of Payment Services under PSD2 (EBA/GL/2017/17). Payment service providers shall also submit annually to the FIN-FSA a free-form assessment of the operational and security risks of payment services. The first assessment shall be submitted for 2018 by 28 February 2019.  Incidents relating to operational and security risks of payment services shall be reported in accordance the EBA Guidelines (EBA/GL/2017/10), adhering to major incident classifications and reporting deadlines. A reporting form will be available on the FIN-FSA website.

The FIN-FSA will issue guidelines on payment service providers’ regular reporting of cases of fraud after the completion of the relevant EBA Guidelines.

A reference to the EBA’s Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation Process (SREP) (EBA/GL/2017/05) has also been added to Regulations and guidelines 8/2014. The FIN-FSA recommends that supervised entities take the said Guidelines into consideration in the management of their ICT risks. In this respect, we refer to the supervision release (62/2017) published on 20 November 2017.

In addition, Regulations and guidelines 8/2014 have been updated with technical legal changes arising from the Markets in Financial Instruments Directive (MiFID II).

Regulations and guidelines 8/2016, Payment institutions and persons providing payment services without authorisation

In addition to updating legislative amendments as the most significant changes to Regulations and guidelines 8/2016, the FIN-FSA recommends compliance with the EBA’s Guidelines (EBA/GL/ 2017/08) on professional indemnity insurance or other comparable guarantee for undertakings providing payment initiation services and account information services that fall within the scope of application of the regulations and guidelines. Similarly, the FIN-FSA recommends compliance with the EBA’s Guidelines on Authorisations of Payment Institutions (EBA/GL/2017/09). A new chapter (chapter 9), prescribing the reporting to the FIN-FSA of adequate insurance or comparable guarantee, has been added to Regulations and guidelines 8/2016.

The amended regulations and guidelines will enter into force on 1 March 2018.

For further information, please contact:

  • Erja Pullinen, Risk Specialist, tel. +358 9 183 5358, e-mail erja.pullinen(at)fiva.fi (Regulations and guidelines 8/2014)
  • Heli Mäkitalo, Risk Specialist, tel. +358 9 183 5369, e-mail heli.makitalo(at)fiva.fi (Regulations and guidelines 8/2014)
  • Juha Eerikäinen, Senior Financial Supervisor, tel. +358 9 183 5322, e-mail juha.eerikainen(at)fiva.fi (Regulations and guidelines 8/2016)
  • Henna Toivonen, Senior Financial Supervisor, tel. +358 9 183 5372, e-mail henna.toivonen(at)fiva.fi (Regulations and guidelines 8/2016)

Appendices