Regulations amending Finansinspektionen’s regulations regarding activities of payment service providers

Finansinspektionen’s Regulatory Code Publisher: Acting Chief Legal Counsel Sophie Degenne, Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished solely for information purposes. Only the printed version of the regulation in Swedish applies for the application of the law. 1 Regulations amending Finansinspektionen’s regulations (FFFS 2018:4) regarding activities of payment service providers; decided on 18 December 2024. Finansinspektionen prescribes pursuant to section 5, points 13, 14 and 16 of the Payment Services Ordinance (2010:1008) with regard to Finansinspektionen’s regulations (FFFS 2018:4) regarding activities of payment service providers in part that Chapter 6, sections 4 and 5 shall be repealed, in part that the heading immediately preceding Chapter 6, section 4 shall be removed, in part that current Chapter 6, sections 6–9 shall be designated Chapter 6, sections 4–7, in part that Chapter 5, section 1 and Chapter 6, sections 5–7 shall have the following wording, and in part that the headings immediately preceding Chapter 6, sections 6 and 9 shall be placed immediately preceding the new Chapter 6, sections 4 and 7, respectively. Chapter 5 Section 1 The system that a payment service provider shall have pursuant to Chapter 5b, section 1 of the Payment Services Act (2010:751) shall be tailored to the provider’s operations and consist of a framework of documented measures that manage or reduce the risk of operational or security incidents occurring. Within the scope of this system, the provider shall, as a minimum

1. define and allocate the accountability functions that the supplier deems necessary in order to implement the security measures,
2. establish processes, procedures and systems for identifying, measuring, monitoring and managing the risks associated with the supplier’s payment services business,
3. conduct a risk assessment of the payment services and draw up a description of the security measures that will protect payment service users from the risks that have been identified, including fraud and illegal use of sensitive data and personal data,
4. have an internal level-based model for managing and controlling risks in the payment service business,
5. draw up a description of how the provider ensures that the operational risks and security risks are managed when it outsources some aspect of the payment services business to another party, FFFS 2024:31 Published on 27 December 2024

FFFS 2024:31 2 6. establish a risk appetite for the payment service business and take stock of, classify and risk assess business functions, processes and assets that are deemed to be critical to operations, 7. draw up security measures that manage physical security and access control, 8. ensure that the operations are monitored in order to identify unplanned events that lead to operational or security-related incidents and manage, follow up and report these incidents, 9. draw up a plan for continuity management that encompasses a description of how operations are to be maintained in various scenarios and how the provider is to communicate in the event of an emergency, test the continuity plans annually, and update them when necessary, 10. draw up and regularly test inspection procedures that ensure security measures are up to date and effective, 11. draw up a threat analysis for the payment service business and regularly train staff in how they are to use contingency plans, continuity plans and recovery plans, and 12. draw up and, when necessary, implement processes and procedures for guiding and informing payment service users about the security risks and error messages that are related to the payment services provided and payment service users’ opportunities to deactivate specific payment functions. The first paragraph does not apply to the management of ICT risks pursuant to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. Chapter 6 Section 5 The information pursuant to section 4 shall be reported on an ongoing basis via Finansinspektionen’s online reporting tool in accordance with the instructions provided there. Section 6 The information pursuant to section 4 shall be submitted to Finansinspektionen no later than the same business day the payment service provider begins to apply the fee. Section 7 Finansinspektionen may decide on exemptions from the provisions set out in sections 1, 2 and 4 if special grounds exist.

---

These regulations shall enter into force on 17 January 2025. DANIEL BARR

FFFS 2024:31 3 Agneta Blomquist