A regulatory compliance audit is essential for payment service providers (PSP). Whether you have a Payment Institution (PI) or E-money Institution (EMI), there are substantial requirements which are imposed by the regulations. In order to ensure that your business is conducted in accordance with all of the requirements, you must perform from time to time a regulatory compliance audit. There are two types of compliance audit: external and internal.
In their guidelines, the European Banking Authority emphasised the importance of a regulatory compliance audit being independent and conducted by auditors with the appropriate expertise. By conducting external regulatory compliance audit for financial institutions, PSP Lab assists its clients to follow their business plans while enhancing their internal policies and procedures. We can provide you with a review of all policies governing the conduct of your company and remediate any of the deficiencies while ensuring smooth operations.
Anti-Money Laundering Audit
For each company working in the financial service sector, it is essential to have proper controls and procedures which would prevent money laundering and terrorist financing. The importance of external AML compliance audit cannot be overemphasised as it allows to bring impartial light on the conduct of the company. We have dedicated ACAMS accredited specialists who know ins and outs of what must be implemented for the successful prevention of financial crimes. The external AML compliance audit helps to ensure that your business is following all new and old AML regulatory requirements. For payment service providers we can advise on how to improve internal controls to prevent transaction laundering. The review of AML controls that are implemented within the company normally comprise of:
- A full review of the company’s AML compliance program with the EU, local laws and regulations;
- Testing of the company’s AML Policy and Procedures;
- Customer due diligence (CDD) procedure review;
- Transactional testing and evaluation of transaction monitoring to ensure that transaction laundering is prevented;
- Sanctioning screening checks;
- Review of the filing of suspicious activity reports;
- Evaluation of AML training;
- Evaluation of automated monitoring systems and management information systems;
- Review of past audit reports and assessing the efficacy of recommended implemented changes;
- Proposal on the improvement of the current policies and procedures.
IT risk management and data protection audit
FinTech lies at the intersection of innovation in financial services and technology. It comprises of new technological advancements in products and services that aim at enhancing the provision of financial services by making them safer, faster and more efficient. Cyber risks undermine confidence and represent a threat to the stability and prosperity of any FinTech business. The cybercrime and IT deficiencies are recognised by the European Central Bank (ECB) as one of the most prominent risk drivers. Therefore, it is of paramount importance to ensure that IT risks are properly managed. To be successful a company should deliver financial services effectively and smoothly, and preserve consumer and market trust and confidence. PSP Lab can help you to ensure that your business is cyber resilient by performing IT risk management audit which involves amongst the other:
- A full review of the company’s IT risk management program compliance with the relevant legislation and standards;
- Review of adherence to the company’s current IT security procedures and standards;
- Review of data protection policies and procedures and adherence to their implementation within the company;
- Identification of the potential risks to IT systems and data, and assessment of how the risks are handled;
- Evaluation of processes for handling common tasks;
- Evaluation of managing the changes and upgrades to IT systems;
- Review of the manner of response to IT or data security incidents (if any);
- Ascertaining acceptable behaviours in relation to key IT issues, such as data protection and safe email use.
Operational and security risk management audit
For all companies engaged in the provision of financial services, it is of due importance to ensure that they operate within the framework minimising risks arising from operations. Each payment service provider (PSP) must ensure that it has established a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks. The risk management is key for any payment service provider to achieve its strategic, corporate, operational and reputational objectives. The operational risk audit carried out by PSP Lab revolves around:
- A full review of the company’s operational risk management program compliance with the relevant legislation and standards;
- Review of the detection and reporting of operational or security incidents;
- Business continuity management, scenario-based continuity plans including their testing and crisis communication;
- Testing of security measures aimed at prevention of operational risks;
- Ascertainment of the level of situational awareness and continuous learning;
- Ascertainment of adherence to the best industry practice and standards;
- Review of the management of the relationship with payment service users.
Financial risk management audit
The mismanagement of risks could affect the credibility and reputation of any payment service provider, especially when it concerns financial risks. The PSD2 stresses that each company which is engaged in the provision of the payment services must effectively identify, manage, monitor and report any risks to which it might be exposed. PSP Lab can help for the payment service providers to adhere to the rules and procedures by ascertaining its compliance with the risk management measures. We can perform a financial risk management compliance audit by evaluating measures which relate to:
- The internal controls aimed to safeguard the funds of payment service users;
- Settlement risk mitigation measures and whether all transactions take place as expected;
- Counterparty risk management;
- Liquidity risk establishing measures to ensure adequate cash flow to meet financial obligations;
- Review of the identified market risks and mitigation measures;
- Review of policies and procedures ensuring minimisation of the foreign exchange risk.
Regulatory reporting audit
Regulated entities have much higher requirements in terms of supervision of their conduct and must report on an ongoing basis to the regulatory authorities. Regulatory reporting is a critical activity for payment service providers and requires a concerted effort from different departments within the company. The PSD2 establishes that payment service providers (PSPs) must report to their competent authorities certain data which may be used for information or statistical purposes. It concerns information related to fraudulent activities, customer complaints, operational risks, the performance of the systems, etc. PSP Lab can ascertain regulatory reporting practices of the company and perform a review of:
- The principles and definitions applicable to the collection of data;
- The type of data that is collected, in relation to customers, type of payment service, channel, instrument, jurisdictions and currencies;
- Whether the means of collection, the purpose of collection and the frequency of collection establish a proper framework for carrying out regulatory obligations;
- Whether a company is submitting all of the reports in a timely manner;
- What could be done to streamline the reporting process..
How can PSP Lab help to ensure your compliance?
After our independent review, we will provide our expert opinion specifying any shortcomings found. Additionally, we will create the remediation plan and assist in its implementation. PSP Lab is flexible regarding the type of audit you need. Please, do not hesitate to contact us if you need only one type of the regulatory audit for your financial institution. PSP Lab will assist you in one or all types of the regulatory audits.