This is an abbreviated list, to give you an idea of the level of detail needed for this one question the FCA states your process in place to file, monitor, track and restrict access to sensitive payment data should include:
- A description of the flows of data classified as sensitive payment data in the context of the payment institution’s business model
- The procedures in place to authorise access to the sensitive payment data
- A description of the monitoring tool
- The access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures
- A description of how the collected data is filed (unless the applicant firm intends to provide PIS only)
- The expected internal and/or external use of the collected data, including by counterparties (unless the applicant firm intends to provide PIS only)
- The IT system and technical security measures that have been implemented, including encryption and/or tokenisation
- Identification of the individual(s), bodies and/or committees with access to the sensitive payment data
- An explanation of how breaches will be detected and addressed
- An annual internal control program in relation to the safety of the IT systems