Decree No. 394 / 2024 Coll.
Ordinance amending Decree No. 1 / 2022 Coll., on Applications and Announcements for Activity under the Law on Payment, as amended by Decree No. 151 / 2022 Coll., and Decree No. 7 / 2018 Coll., on certain conditions for the performance of the activity of a payment institution, the administrator of payment account information, the payment service provider of a small scale, the electronic money institution and the electronic money issuer of a small scale, as amended
Valid
Order
Effective from 17.01.2025
Text versions:
17.01.2025
16.12.2024
394
DECLARATION
of 9 December 2024
amending Decree No. 1 / 2022 Coll., on Applications and Announcements for Activity under the Law on Payment, as amended by Decree No. 151 / 2022 Coll., and Decree No. 7 / 2018 Coll., on certain conditions for the performance of the activity of the payment institution, the administrator of the payment account information, the payment service provider of a small scale, the electronic money institution and the electronic money issuer of a small scale, as amended
The Czech National Bank provides pursuant to § 263 of Act No. 370 / 2017 Coll., on payment, as amended by Act No. 129 / 2022 Coll., for the implementation of § 10 (4), § 20 (4), § 43 (3), § 48 (4), § 59 (4), § 60 (3), § 69 (4), § 78 (4), § 100 (4) and § 101 (3) thereof:
Amendment of the Regulation on applications and notifications for activity under the Payment Act
Decree No. 1 / 2022 Coll., on applications and notices for the exercise of activities under the Law on Payment, as amended by Decree No. 151 / 2022 Coll., is amended as follows:
1. At the end of footnote 1, the words "as amended by Directive (EU) 2022 / 2556 of the European Parliament and of the Council 'are added.
2. In Paragraph 2 (g), at the end of point 4, the word "a 'is replaced by a comma.
3. In Article 2 (g), at the end of point 5, comma is replaced by "a 'and the following point 6 is added:
"6. process of data evaluation and reporting of evaluation results within the corporate governance structure,"
4. In Article 2 (h) (4), the words "for the notification of serious security and operational incidents under Article 221 of the Act 'are replaced by" for Article 13 and Chapter III of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council'.
5. in § 2 (i), § 3 (j), § 6 (h), § 8 (j), § 11 (k), § 14 (j) and in Annex 5 (f), the words "ensuring continuity" shall be replaced by "maintaining operation."
6. In Article 2 (i) of the Introductory Part of the provision, the word "containing 'is replaced by" including the identification of critical operations, policies and plans to maintain the operation of information and communication technologies, response and recovery plans in the field of information and communication technologies, a description of the procedures for regular testing and review of those plans under Regulation (EU) 2022 / 2554 of the European Parliament and of the Council,'.
7. In Article 2 (i), points 1 to 6 are deleted.
8. in Sections 3 and 11 (q):
"(q) a description of the risks and their management measures involving:
1. a detailed assessment of the risks related to payment services provided or intended to be provided by the applicant, taking into account the planned technical security of the provision of such payment services, including the risk of fraudulent conduct, and the security and control measures and procedures to mitigate identified risks and to protect electronic money holders or payment service users from such risks;
2. a description of the applicant's risk management system pursuant to Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council, including where the applicant intends to entrust the performance of an operational activity to another person; and
3. the internal regulation or regulations by which the applicant will ensure that the safety and control measures and risk mitigation procedures referred to in point 1 are implemented and that the requirements of Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council are clearly met; ';
9. in Article 6 (k):
"(k) a description of the risks and their management measures involving:
1. a detailed assessment of the risks related to payment services provided or intended to be provided by the applicant, taking into account the planned technical security of the provision of such payment services, including the risk of fraudulent conduct, and the security and control measures and procedures to mitigate identified risks and to protect electronic money holders or payment service users from such risks;
2. a description of the applicant's risk management system pursuant to Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council, including where the applicant intends to entrust the performance of an operational activity to another person; and
3. the internal regulation or regulations by which the applicant will ensure that the safety and control measures and risk mitigation procedures referred to in point 1 are implemented and that the requirements of Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council are clearly met; ';
10. in Sections 8 and 14 (p):
"(p) a description of the risks and management measures involving:
1. a detailed assessment of the risks related to payment services provided or intended to be provided by the applicant, taking into account the planned technical security of the provision of such payment services, including the risk of fraudulent conduct, and the security and control measures and procedures to mitigate identified risks and to protect electronic money holders or payment service users from such risks;
2. a description of the applicant's risk management system pursuant to Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council, including where the applicant intends to entrust the performance of an operational activity to another person; and
3. the internal regulation or regulations by which the applicant will ensure that the safety and control measures and risk mitigation procedures referred to in point 1 are implemented and that the requirements of Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council are clearly met; ';
11. in Annex 2 (c) (3), the words "the flow of funds made by payment transactions" are replaced by the words "and a detailed breakdown of estimated cash flows."
12. in Annex 3 (d) (3) and (7), "19" is replaced by "17."
13. in Annex 3 (i), "subjectivity" is replaced by "personality."
14. in Annex 4 (b), the word "documents" is replaced by the word "information."
15. in Annex 5, at the end of point (h), the word "a" shall be deleted;
16. In Annex 5, point (i) is replaced by the following:
"(j) a description of the principles for the use of ICT services under Chapter V, Section I of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council.";
17. Annex No 6 is deleted.
Amendment of the Decree on certain conditions for the performance of the activity of a payment institution, the administrator of payment account information, the small-scale payment service provider, the electronic money institution and the small-scale electronic money issuer
Decree No 7 / 2018 Coll., on certain conditions for the performance of the activities of the payment institution, the administrator of the payment account information, the small-scale payment service provider, the electronic money institution and the issuer of small-scale electronic money, as amended by Decree No 2 / 2022 Coll. and Decree No 151 / 2022 Coll., are amended as follows:
1. In footnote 1, the first sentence is replaced by the sentence "Article 4 (46), Article 8 (2), Article 9 (1), Article 9 (2) and Article 95 (1) of Directive (EU) 2015 / 2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market amending Directives 2002 / 65 / EC, 2009 / 110 / EC and 2013 / 36 / EU and Regulation (EU) No 1093 / 2010 and repealing Directive 2007 / 64 / EC, as amended by Directive (EU) 2022 / 2556. '.
2. Paragraph 4 (2) reads as follows:
"(2) Paragraph 1 shall be without prejudice to the obligations of the payment institution to manage risks in the field of information and communication technologies to which the payment institution is or could be exposed in connection with the payment services provided by it, pursuant to Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council. The risk mitigation measures in the field of information and communication technologies and the control mechanisms established by the payment institution under Chapter II of Regulation (EU) 2022 / 2554 of the European Parliament and of the Council shall form part of its management of the security and operational risks referred to in paragraph 1. ';
3. In Article 4, paragraphs 3 and 4 are deleted.
4. the Annex is deleted.
EFFECTIVE
This Decree shall take effect on 17 January 2025.
Governor:
Michl, Ph.D., v. r.
Contents
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 394 / 2024 Coll., amending Decree No. 1 / 2022 Coll., on Applications and Announcements for Activity under the Law on Payment, as amended by Decree No. 151 / 2022 Coll., and Decree No. 7 / 2018 Coll., on certain conditions for the performance of the activities of a payment institution, the administrator of information on a payment account, a small-scale payment service provider, an electronic money institution and a small-scale issuer, as amended |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 16.12.2024 |
|---|---|
| Effective from | 17.01.2025 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0