Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
In the GLs addressed to payment service providers on the notification of major operational or security incidents to the competent authority in their home Member State under point 1.3. “i. Transactions affected” the following paragraph is added:
“For operational incidents affecting the ability to initiate and/or process transactions, payment service providers should report only those incidents with a duration longer than one hour.”
It should to be taken into account that for large banks, this change will not have an effect on the reporting if it is only applicable for “lower” impact categories.
Under point 1.3. “ii. Payment service users affected” the following paragraph is added:
“For operational incidents affecting the ability to initiate and/or process transactions, payment service providers should report only those incidents that affect payment service users with a duration longer than one hour.”
It would be good to have this extension also in the category of “high” because if an online banking system is down for one second, probably 100% of users are affected.
In the GLs addressed to payment service providers on the notification of major operational or security incidents to the competent authority in their home Member State under point 1.4. the following thresholds are set:
Criteria Lower impact level Higher impact level
Breach of security measures Yes not applicable
It seems questionable, why the breach of security measures is only applicable for the category “lower impact”. It should be applicable for “higher impact” because if e.g. data is breached, the incident has high importance.
In the revised GLs EBA proposes changing the “Definitions” by merging ‘continuity’ into ‘availability’ and expanding the definition of the term. As regards definitions (point 15) it seems unclear, why “availability” is mentioned twice (once within “operational or security incident” and once stand-alone).
However, we have one request for clarification:
In the Consultation Paper point 2.7. of the GLs (as regards the submission of initial reports) is changed in the following way:
“2.7. Payment service providers should submit an initial report to the competent authority in the home Member State when a major operational or security incident is first detected after an operational or security incident has been classified as major. Competent authorities should acknowledge the receipt of the initial report and assign a unique reference code unequivocally identifying the incident. Payment service providers should indicate this reference code when submitting the intermediate and final reports related to the same incident.”
If the payment service provider is able to submit initial, intermediate AND end report within one report (as for example the volume of transactions was reached by the incident) but it could be resolved within one hour, would this mean that initial and end report must be reported after receiving the unique reference number of the local authorities?
In a perfect world a unified web solution (portal, web form) is implemented. If this is not planned, xls should be kept. As of the current process, other formats than MS Excel therefore do not seem relevant. However, if further standardization of files for submission would lead to possible automation possibilities, we would be open for discussing the introduction of more efficient tools and approaches as well.
We also want to point out some room for clarifications:
• On the exact scope of the sub-category “Information context security”;
• Regarding the above-mentioned Point d.) of Deficiencies in the reporting process: We understand that the requirement is not to leave any fields blank in the report. In case the respective field does not apply or is not relevant for the article – is there a preference how to indicate that (eg: n.a/u.a.)?
Additionally, we want to propose to make the field “Assessment of the effectiveness of the actions taken” in the template of the final report optional. It is time consuming to get the requested information on time and this would risk to not be able to deliver the report on time.
Finally, financial institutions are obliged to be compliant to various reporting obligations, e.g. the “ECB Reporting for significant cyber incidents” reporting scheme. Each reporting obligation is using different classification schemes of incidents, which makes it difficult to reflect in incident management processes and tools. A harmonisation between the EBA and ECB reporting obligations would be highly appreciated.
ADDITIONAL REMARKS:
• The Major Incident Reporting to NCAs and to ECB shall be harmonized. See also answer to Q5/Q7.
• Point 27: The reference to 2.14 seems misleading and should be reviewed, since no “financial intermediate report” is mentioned in this place. The wording in Guideline 2.12 in conjunction with 2.13 seems to be somehow misleading, as 2.12 stipulates that the intermediate report has to be submitted within 3 working days after the initial report. 2.13 however stipulates, that the intermediate report has to be submitted within the deadline according to 2.12., in case regular activity has been restarted. It seems unclar, what happens in case regular activity has not yet been restored within the said deadline.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
Yes, we agree with the change and support the proposal. Increasing the threshold from €5 million to €15 million would be helpful as it ensures only significant incidents are covered. This reduces overhead and reporting expenses.Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
Generally, we agree with the changes and support the proposal. In addition, we suggest taking the number of users of a specific service into account (e.g. ‘more than 25% of users are affected for more than 1 hour’) and have the following comments/observations on the proposed changes:In the GLs addressed to payment service providers on the notification of major operational or security incidents to the competent authority in their home Member State under point 1.3. “i. Transactions affected” the following paragraph is added:
“For operational incidents affecting the ability to initiate and/or process transactions, payment service providers should report only those incidents with a duration longer than one hour.”
It should to be taken into account that for large banks, this change will not have an effect on the reporting if it is only applicable for “lower” impact categories.
Under point 1.3. “ii. Payment service users affected” the following paragraph is added:
“For operational incidents affecting the ability to initiate and/or process transactions, payment service providers should report only those incidents that affect payment service users with a duration longer than one hour.”
It would be good to have this extension also in the category of “high” because if an online banking system is down for one second, probably 100% of users are affected.
Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
Yes, we generally agree but are wondering why the new criterion “Breach of security measures” is only relevant in the context of the lower impact level (see comment below):In the GLs addressed to payment service providers on the notification of major operational or security incidents to the competent authority in their home Member State under point 1.4. the following thresholds are set:
Criteria Lower impact level Higher impact level
Breach of security measures Yes not applicable
It seems questionable, why the breach of security measures is only applicable for the category “lower impact”. It should be applicable for “higher impact” because if e.g. data is breached, the incident has high importance.
In the revised GLs EBA proposes changing the “Definitions” by merging ‘continuity’ into ‘availability’ and expanding the definition of the term. As regards definitions (point 15) it seems unclear, why “availability” is mentioned twice (once within “operational or security incident” and once stand-alone).
Q4. Do you agree with the proposed changes to the Guidelines aimed at addressing the deficiencies in the reporting process?
Generally, we agree with the changes and support the proposal, specifically with respect to the proposed change regarding the 4 hour-deadline from “Classification of the Incident”. We also welcome the clarifications made. We agree in particular with removing the obligation for PSPs to provide updates to the intermediate reports every 3 working days and extending the deadline for the submission of the final report from 2 weeks to 20 working days.However, we have one request for clarification:
In the Consultation Paper point 2.7. of the GLs (as regards the submission of initial reports) is changed in the following way:
“2.7. Payment service providers should submit an initial report to the competent authority in the home Member State when a major operational or security incident is first detected after an operational or security incident has been classified as major. Competent authorities should acknowledge the receipt of the initial report and assign a unique reference code unequivocally identifying the incident. Payment service providers should indicate this reference code when submitting the intermediate and final reports related to the same incident.”
If the payment service provider is able to submit initial, intermediate AND end report within one report (as for example the volume of transactions was reached by the incident) but it could be resolved within one hour, would this mean that initial and end report must be reported after receiving the unique reference number of the local authorities?
Q5. Do you support the introduction of a standardised file for submission of incident reports from payment service providers to national competent authorities? If so, what type of structured file format would you support (e.g. “MS Excel”, “xbrl”, “xml”) and why?
Yes, it will save banks time and effort, specifically related to those banks which have to report in different countries. As a recommendation, the new standardized file shall be more user friendly and easy to be filled-in by standard software users.In a perfect world a unified web solution (portal, web form) is implemented. If this is not planned, xls should be kept. As of the current process, other formats than MS Excel therefore do not seem relevant. However, if further standardization of files for submission would lead to possible automation possibilities, we would be open for discussing the introduction of more efficient tools and approaches as well.
Q6. Do you agree with the proposed changes to Guidelines 2.4, 2.7, 2.12, 2.14, and 2.18 that are aimed at simplifying the process of reporting major incidents under PSD2?
Yes, we agree with the changes and support the proposal. In addition, we would additionally appreciate a further explanation on how to interpret “applies from the moment of classification of the incident (and not the detection of the incident) as referred to in Guideline 2.7. We would encourage a more detailed definition of “classification”.Q7. Do you agree with the proposed changes to the templates in the Annex to the Guidelines?
Yes, we agree with the changes and support the proposal. One additional recommendation: the elimination of the field “Time” in all Reports would be useful since the “Time of Report” corresponds to the time of the upoad of the Report (or send date of E-Mail).We also want to point out some room for clarifications:
• On the exact scope of the sub-category “Information context security”;
• Regarding the above-mentioned Point d.) of Deficiencies in the reporting process: We understand that the requirement is not to leave any fields blank in the report. In case the respective field does not apply or is not relevant for the article – is there a preference how to indicate that (eg: n.a/u.a.)?
Additionally, we want to propose to make the field “Assessment of the effectiveness of the actions taken” in the template of the final report optional. It is time consuming to get the requested information on time and this would risk to not be able to deliver the report on time.
Finally, financial institutions are obliged to be compliant to various reporting obligations, e.g. the “ECB Reporting for significant cyber incidents” reporting scheme. Each reporting obligation is using different classification schemes of incidents, which makes it difficult to reflect in incident management processes and tools. A harmonisation between the EBA and ECB reporting obligations would be highly appreciated.
ADDITIONAL REMARKS:
• The Major Incident Reporting to NCAs and to ECB shall be harmonized. See also answer to Q5/Q7.
• Point 27: The reference to 2.14 seems misleading and should be reviewed, since no “financial intermediate report” is mentioned in this place. The wording in Guideline 2.12 in conjunction with 2.13 seems to be somehow misleading, as 2.12 stipulates that the intermediate report has to be submitted within 3 working days after the initial report. 2.13 however stipulates, that the intermediate report has to be submitted within the deadline according to 2.12., in case regular activity has been restarted. It seems unclar, what happens in case regular activity has not yet been restored within the said deadline.