Regulatory Alerts2004-11-29
Self-reporting for payment service systems
The Financial Supervisory Authority of Norway requires entities operating payment service systems to submit a self-reporting form to the authority. The document mandates a detailed checklist covering agreements with participating institutions and suppliers, risk assessments for authentication solutions, and the operational readiness of the system. It ensures compliance by verifying security mechanisms, disaster recovery plans, and the clarity of customer rights and responsibilities.
FINANS TILSYNET THE FINANCIAL SUPERVISORY AUTHORITY OF NORWAY
Appendix to Circular 17/2004
Self-reporting for payment service systems
| Entity: | ||||
|---|---|---|---|---|
| Name of the system: | New system? | New version? | Control questions | |
| Yes | No | |||
| Contact person: |
| Participating institutions | |||
|---|---|---|---|
| 1. Have agreements been concluded between participating institutions? | |||
| 2. Do the agreements regulate the rights and obligations of the parties? | |||
| 3. Do the agreements regulate how liability for financial risks is handled? | |||
| 4. Is the connection of user sites regulated? | |||
| Suppliers | |||
| 5. Have agreements been concluded with relevant suppliers? | |||
| 6. Do the agreements regulate the rights and obligations of the parties? | |||
| Users of the service | |||
| 7. Has a risk assessment been performed on solutions¹ used to authenticate customers and to execute payments? | |||
| 8. Has it been tested that customers receive the functionality they have agreed upon? | |||
| 9. Have agreements been made regarding customers' rights, obligations, and financial risk? | |||
| 10. Do the agreements provide the customer with information on how the service works and should be used? | |||
| Regarding the payment service system | |||
| 11. Have descriptions of the security mechanisms² used in customer contact, within the system, and when transferring information to other systems been prepared? | |||
| 12. Does the system contribute to efficient, rational, and coordinated execution of the payment service? | |||
| 13. Do the stress tests correspond to the goals set by the person responsible for the system (cf. ICT Regulation § 6) for efficiency in defined areas? | |||
| 14. Has an end-to-end test been performed with all relevant external actors? | |||
| 15. Has the person responsible for the system approved the test results? | |||
| 16. Does the transition to production start from the last tested version? | |||
| 17. Has a recovery plan been prepared and tested? | |||
| 18. Is the disaster preparedness plan updated with the new configuration simultaneously with the switch to operation? | |||
| 19. Has a risk and vulnerability analysis been conducted for the new solution or the change? |
Any comments:
Date: ____________________ Signature: ____________________
¹ By "solutions" is meant payment cards, numeric codes, or other forms of independent user credentials to be used for authentication and payment. ² By "security mechanism" is meant both electronic security services and the routines surrounding the payment service.