The Risk and Monitoring review phase encompasses several critical components managed by specialized teams. Program limits approval and pricing processes are jointly handled by Risk and Finance teams within a seven-day timeframe. Project Management teams facilitate initial communication using standardized Risk and Compliance email templates, while partners must provide comprehensive velocity limits for Risk officer review and approval. These requirements are systematically documented in the designated Fees and Limits setup repository for new client onboarding review. When fees cannot be configured within the Thredd system, Finance teams coordinate external billing service arrangements to ensure proper implementation.
For Paynetics UK (PUK) operations specifically, Consumer Duty assessments are managed by PUK Compliance teams over seven to fourteen days. Project Management initiates this process by opening email threads with UK Compliance teams to trigger comprehensive Consumer Duty evaluations, requiring partners to complete detailed assessment forms through the designated Consumer Duty platform.
Strong Customer Authentication (SCA) audit reviews are conducted by Risk officers within seven days, with Legal and Underwriting teams copied for comprehensive oversight. This collaborative review process covers both PUK and PAD operations, ensuring thorough evaluation of authentication protocols. Upon completion of SCA audit reviews, Legal teams utilize the findings to inform agent agreement drafting, maintaining consistency between risk assessments and contractual obligations.
This comprehensive process ensures thorough evaluation, risk assessment, and proper integration of new partners while maintaining regulatory compliance and operational efficiency across all Paynetics departments.
What is the PCI DSS/SAQ?
PCI DSS compliance is a requirement for any business that stores, processes, or transmits cardholder data! If you are aiming to provide the cardholder with any card details via API (CVV, PAN, etc), you need to be PCI DSS Level 1 certified or perform SAQ ( when you integrate with Paynetics SDK for secure card details).
PCI DSS Level 1 - a ROC is required. Partner can show card details securely.
PCI DSS Leve 2,3 or 4 - SAQ is required. Partner needs to integrate with Paynetics SDK for app/web platform. Also, this is an indication that additional pricing for the SDK is to be included in the offer.
PCI DSS is not required if the partner does not want to show card details in its app/web platform.
*Card details - PAN, CVV and Expiration date.
What is the PEN test?
A PEN test is performed to evaluate the security of the system. The Penetration or PEN test is performed on the client-facing platform to ensure there are no vulnerabilities that may expose Paynetics or our partners to risk. The main goal is to identify weaknesses, including the potential for unauthorized parties to gain access to the system's features and data. PEN test needs to be performed regularly depending on the project scope. Most of the scenarios are annual.
What is a SCA audit?
(Short answer) SCA or Strong Customer Authentication requirement ensures that electronic payments are performed with multi-factor authentication, to increase the security of electronic payments. SCA audit needs to be performed regularly depending on the project scope. Most of the scenarios is annually.
(Long answer) The security audit is based on the Delegated Regulation (EU) 2018/ 389, supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. The audit will assess the Partner’s compliance with the relevant security measures in accordance with the requirements set out in Delegated Regulation (EU) 2018/389, and in particular the applicable security measures for the application of Strong Customer Authentication (Articles 4-9 of the Regulation), the admissible exemptions (Articles 10-21 of the Regulation), the protection of the confidentiality and integrity of the payment service users’ personalized security credentials (Articles 22-27 of the Regulation).
When a SCA audit needs to be performed?
The authentication process requiring SCA when Partner is providing the following services to its customers:
Access to payment accounts via internet/mobile banking
Electronic payments via internet/mobile banking
Other remote activities such as internet/mobile banking registration, mobile app activation, password reset, trusted beneficiaries registration, etc.
*Paynetics can provide scope of what a SCA audit should contains
Does Paynetics offer to conduct PEN, SAQ, and SCA audits?
No, because Paynetics is not a QSA (Qualified Security Assessor). An approved QSA can be found on the PCI Council website (link: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards). Also, Paynetics may offer to introduce you to a trusted partner of ours for running the audits. The benefits for you will be lower cost and a very quick response in terms of scoping and testing due to our long-term partnership with the compliance auditing company.
In addition: in order to do that I need your written confirmation if your company would agree for Paynetics to be in copy to the correspondence of the communication regarding the compliance auditing company.
Paynetics Marketing Information, Product and Promotions requirements
Why is this important?
Generally, those are materials that partner will be using for placing the offered service – such as adds, brochures, newspapers, blogs, social networking sites, etc. Paynetics, as license holder, remains responsible for all customer-facing content.
Paynetics must ensure that all our end clients are treated fairly and the information
communicated to them with regard to the Paynetics services and products is clear, fair and
not misleading.
As we are a B 2 B organization, our Representatives and Partners produce marketing and
promotional material to be shared with Paynetics’ end clients, but as the regulated entity,
Paynetics remains responsible for all client facing content that relates to the Paynetics’
services and/or products offered through the Representative/ Partner
Therefore, we have introduced rules and requirements that must be adhered to by all of
Paynetics’ Representatives (incl Programme Managers, BNB Agents, Distributors) as well as
any other partner e g Technical Providers) or third party that may produce any
marketing/promotional material and/or product/services information in relation to services
and products offered by Paynetics to end clients and hence we need to carry out checks and may make recommendations or require changes based on our findings.
What communication/information is in scope?
Essentially any material about Paynetics as a firm and the services/products it offers, which is made available to end clients is covered by the Marketing Information, Product and Promotions Requirements
Some examples include, but are not limited to:
Product brochures
Newspaper and magazine advertising
Google AdWords
Terms and Conditions (with a particular focus on Summary Boxes)
Press Releases
Mailshots and Card Carriers
Website content, website links, RSS feeds and blogs
Digital marketing campaigns
Social networking sites such as Facebook and Twitter
Smartphone applications
Group Presentation aides
Sales aides
Telemarketing material
What is required?
Paynetics and al l our Partners and Representative must ensure that
due regard is paid to the information needs of our end clients and
information is communicated to our end clients in a way which is clear, fair, and not misleading with respect to the activities of Paynetics as an EMI
the information itself is also complete, accurate and not misleading
in good time before Paynetics issues e money to an end client, it has been communicated to that end client on paper or in another durable medium that compensation scheme does not cover claims made in connection with issuing electronic money
in good time each end client is made aware of:
Who the payment service provider is (i e Paynetics) and the fact that the Representative is acting on the Company’s behalf
The Terms and Conditions applicable to the specific end client (as agreed with Paynetics)
Any applicable fees and charges
The main characteristics of the service/ product offered
How does this work in practice?
Paynetics must approve all marketing/promotional material and/or product/services information prepared for end clients that relates to regulated products/ services offered by the Representative on behalf of Paynetics.
This approval must be obtained by the Representative prior to making the relevant marketing/promotional materials and/or product/ services information available to the public This also includes:
marketing/promotional materials and/or product/ services information that are not specifically targeted to end clients (e g B 2 B promotions), but refer to products/services offered by the Representative/Partner on behalf of Paynetics
changes to already approved by Paynetics marketing/promotional materials and/or product/ services information (regardless of whether they have been made yet available to the public or not
Non approved marketing/promotional materials and/or product/ services information may not be made available to the public
Paynetics aims to review the materials within 5 business days and feedback will be provided to the Representative/ Partners (incl requests for amendments, changes, etc)
You are encouraged to di scuss all planned changes with your Account Manager in advance and submit through them (or directly to Compliance@Paynetics Digital any planned changes/ communications/materials
How to ensure compliance? Guiding principles
When Partners/Representatives provide marketing/ promotional material and/or product/service information to end clients, we expect the following high level principles to be adhered to:
Promotions must be presented in a way that allows the target audience to understand the product
End clients must be given the information they require to make informed decisions and information should be clear, concise, consistent and consumer friendly
The intended purpose and key features of any promoted product should be explained and include all associated charges and fees
A communication or any marketing material may not describe a feature of a product or service as guaranteed protected "or secure or use a similar term unless the
information may be regarded as fair, clear and not misleadingOur Partner/ Representative must ensure that each material made available to an end client
(1) includes the name of the Representative and Paynetics as appropriate to be clear who provides the service/product
The name of the firm or other provider may be a trading name or shortened version of the legal name of the firm, provided the target audience (i e targeted clients)
can identify the Representative and Paynetics
(2) is accurate and, in particular, does not emphasise any potential benefits without also giving a fair and prominent indication of any relevant risks
(3) is sufficient for, and presented in a way that is likely to be understood by, the average member of the group to whom it is directed or by whom it is likely to be received and
(4) does not disguise, diminish or obscure important information, statements or warningsAny information about exchange rates must be provided to Paynetics for pre approval, even when a Representative does not consider it to constitute marketing/promotional material This further includes information that gives the impression that a specific rate is (not available to clients/ information about conversion rate charges, etc
A false or misleading impression about the product must not be made, which states or implies that Paynetics is providing a service which it is not authorised to do such as:
Referring to Paynetics or any of its services/ products using the term “ bank”(incl ..“neo bank”,bank”,“bank like”,like”,“bank account”,account”,“bank transfer”) etc
Referring to savings/deposit accounts Paynetics does not offer such accounts
Referring to overdrafts
Proposing/implying that Paynetics products and services may be used not in line with the approved business model and applicable T&Cs