Germany’s Federal Financial Supervisory Authority (BaFin) has released a second consultation for payments and e-money, this time looking at operational and security-relevant risks.
This autumn, BaFin has released two consultations targeting the payments industry in quick succession.
However, rather than introducing new rules and regulations for the industry, BaFin’s work appears to be helping the payments industry with their compliance requirements.
Payment and e-money operators in the country now have until November 23, 2023 to respond to this consultation document.
Payment service providers (PSPs) that are supervised by BaFin must once a year carry out a comprehensive assessment of their operational and security-related risks in connection with the payment services they provide.
These firms must also look at the appropriateness of the risk reduction measures and control mechanisms that they have established to control these risks.
These issues are accounted for in the new consultation, as BaFin looks to streamline compliance procedures.
"This is helping to simplify the process,” Johannes Wirtz, partner at Bird & Bird, told Vixio.
“There is an obligation to report on operational and security risks in PSD2. Now, this is formalised into a template form rather than starting with a blank page,” he said.
BaFin said as much itself. In a letter attached to the consultation, Raimund Röseler, the regulator’s banking supervision chief, said that “it is intended to help payment service providers to submit a report that corresponds to BaFin's expectations”.
"The new consultation is not as large as the previous one,” said Wirtz. “The proposed circular is very short and has an annex on a suggested form.”
Wirtz said that this is good to have for PSPs. “They can just fill in a form rather than creating the document for themselves."
What’s next from BaFin?
A BaFin spokesperson told Vixio that there are no more consultations coming up in the near future.
“Payment services and payment security are topics that BaFin has been focusing on for a long time,” the spokesperson said.
“With PSD2 and the associated regulations, there has been an even stronger supervisory focus on these topics since 2018.”
The spokesperson said that “existing obligations are to be concretised” and that this is “as a relief for affected payment service providers”.
BaFin’s previously released, longer consultation document also focused on risk management for PSPs.
This included counterparty default risks (such as settlement and chargebacks), market price risks such as FX and business model risks.
In addition, BaFin has referenced environmental, social and governance (ESG) risks.