(1) Each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services it provides. As part of that framework, the payment service provider must establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
(2) Each payment service provider must provide to the FCA an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
(3) Such assessment must -
(a) be provided on an annual basis, or at such shorter intervals as the FCA may direct; and
(b) be provided in such form and manner, and contain such information, as the FCA may direct.