10. A statement of the applicant's security policy, including—U.K.
(a)a detailed risk assessment in relation to the payment services to be provided, including risks of fraud and illegal use of sensitive and personal data, and
(b)a description of—
(i)the applicant's security control and mitigation measures to provide adequate protection to users against the risks identified,
(ii)how such measures ensure a high level of technical security and data protection, including such security and protection for the software and IT systems used by the applicant and any undertakings to which the applicant outsources any part of its operations, and
(iii)the applicant's measures to comply with regulation 98(1) (management of operational and security risks), F1....
Textual Amendments
F1Words in Sch. 2 para. 10(b)(iii) omitted (31.12.2020) by virtue of The Electronic Money, Payment Services and Payment Systems (Amendment and Transitional Provisions) (EU Exit) Regulations 2018 (S.I. 2018/1201), reg. 1(3), Sch. 2 para. 70 (with reg. 4, Sch. 3 Pt. 2) (as amended by S.I. 2020/56, regs. 1, 8); 2020 c. 1, Sch. 5 para. 1(1)