97. A payment service provider must not access, process or retain any personal data for the provision of payment services by it, unless it has the explicit consent of the payment service user to do so.
98.—(1) Each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services it provides. As part of that framework, the payment service provider must establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
(2) Each payment service provider must provide to the FCA an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
(3) Such assessment must—
(a)be provided on an annual basis, or at such shorter intervals as the FCA may direct; and
(b)be provided in such form and manner, and contain such information, as the FCA may direct.
99.—(1) If a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the FCA.
(2) A notification under paragraph (1) must be in such form and manner, and contain such information, as the FCA may direct.
(3) If the incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.
(4) Upon receipt of the notification referred to in paragraph (1), the FCA [F1must notify any other relevant authorities in the United Kingdom].
F2(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
F1Words in reg. 99(4) substituted (31.12.2020) by The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 47(2) (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)
F2Reg. 99(5) omitted (31.12.2020) by virtue of The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 47(3) (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)
100.—(1) A payment service provider must apply strong customer authentication where a payment service user—
(a)accesses its payment account online, whether directly or through an account information service provider;
(b)initiates an electronic payment transaction; or
(c)carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
(2) Where a payer initiates an electronic remote payment transaction directly or through a payment initiation service provider, the payment service provider must apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.
(3) A payment service provider must maintain adequate security measures to protect the confidentiality and integrity of payment service users' personalised security credentials.
(4) An account servicing payment service provider must allow a payment initiation service provider or account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to a payment service user in accordance with the preceding paragraphs of this regulation.
(5) Paragraphs (1), (2) and (3) are subject to any exemptions from the requirements in those paragraphs provided for in [F3technical standards made under regulation 106A].
Textual Amendments
F3Words in reg. 100(5) substituted (31.12.2020) by The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 48 (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)
101.—(1) This regulation applies in relation to complaints from payment service users who are not eligible within the meaning of section 226(6) of the 2000 Act (the ombudsman scheme – compulsory jurisdiction).
(2) A payment service provider must put in place and apply adequate and effective complaint resolution procedures for the settlement of complaints from payment service users about the rights and obligations arising under Parts 6 and 7.
F4(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(4) When a payment service provider receives a complaint from a payment service user, the payment service provider must make every possible effort to address all points raised in a reply to the complaint on paper or, if agreed between payment service provider and payment service user, in another durable medium.
(5) Subject to paragraph (6), the reply must be provided to the complainant within an adequate timeframe and at the latest 15 business days after the day on which the payment service provider received the complaint.
(6) In exceptional situations, if a full reply cannot be given in accordance with paragraph (4) for reasons beyond the control of the payment service provider, the payment service provider must send a holding reply, clearly indicating the reasons for the delay in providing a full reply to the complaint and specifying the deadline by which the payment service user will receive a full reply.
(7) The deadline specified under paragraph (6) must not be later than 35 business days after the day on which the payment service provider received the complaint.
(8) The payment service provider must inform the payment service user about the details of one or more providers of dispute resolution services able to deal with disputes concerning the rights and obligations arising under this Part and Part 6 (information requirements for payment services), if the payment service provider uses such services.
(9) The payment service provider must also make available in a clear, comprehensive and easily accessible way—
(a)the information referred to in paragraph (7); and
(b)details of how to access further information about any provider of dispute resolution services referred to in paragraph (8) and the conditions for using such services.
(10) The information to be made available under paragraph (8) must be made available—
(a)on the website of the payment service provider (if any);
(b)at branches of the payment service provider (if any); and
(c)in the general terms and conditions of the contract between the payment service provider and the payment service user.
Textual Amendments
F4Reg. 101(3) omitted (31.12.2020) by virtue of The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 49 (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)