EBA consults on Guidelines on the reporting of operational or security incidents under the PSD2
07 December 2016
The European Banking Authority (EBA) launched today a consultation on its draft Guidelines developed in close cooperation with the European Central Bank (ECB) under the revised Payment Services Directive (PSD2). The draft Guidelines specify (i) the criteria for classifying operational or security incidents as major, (ii) the template to be used by payment service providers when notifying them to the Competent Authorities (CAs,) and (iii) the indicators CAs need to use when assessing the relevance of such incidents. These Guidelines are in support of the objectives of the PSD2 of strengthening the integrated payments market across the European Union (EU), ensuring a consistent application of the legislative framework, promoting equal conditions for competition, providing a secure framework on the payments environment and protecting consumers. The consultation runs until 7 March 2017.
The draft Guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered as major and, therefore, be notified to the CAs. These draft Guidelines also establish the template that payment service providers will have to use for this notification and the reports they have to send during the lifecycle of the incident, including the timeframe for reporting the incident.
Furthermore, these draft Guidelines define a set of criteria that Competent Authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities. In particular, they detail the information that, as a minimum, Competent Authorities should share with other domestic authorities when an incident is considered of relevance for the latter.
Responses to this consultation can be sent to the EBA by clicking on the "send your comments" button on the website.
All contributions received will be published following the close of the consultation, unless requested otherwise. Please note that the deadline for the submission of comments is 7 March 2017 and that no attachments can be submitted.
A public hearing will take place at the EBA premises on 09 February 2017 from 13:00 to 16:00 UK time.
Legal basis and background
These Guidelines have been drafted in accordance with Article 96 (3) of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which mandates the EBA, in close cooperation with the ECB to issue guidelines addressed to payment service providerson the classification and notification of major operational or security incidents, and to Competent Authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.
In order to fulfil this mandate, the EBA and the ECB have assessed existing scenarios and practices as regards incident reporting and have produced the draft Guidelines proposed in this Consultation Paper.