Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
At the same time, however, the proposed amendment to use the percentage and the absolute amount thresholds as alternatives (instead of being cumulative conditions) may have the opposite effect, bringing into scope again certain operational incidents without a significant impact (even if they have a duration of more than hour). This is especially true for the thresholds used with respect to the criterion “payment service users affected”, which have not been increased in the proposed revised guidelines: while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.
final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident, and not the detection of the incident. That clarification is required to allow for a timely internal assessment of the incident against the guidelines.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
Yes, the European FinTech Association (EFA) welcomes the increase of the quantitative threshold used for the higher impact level with respect to the criterion “transactions affected” from 5 million to 15 million.Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
We agree that the introduction of the condition that the operational incidents must have a duration of longer than one hour may help ensure that only operational incidents with a significant impact are being captured by the reporting requirement.At the same time, however, the proposed amendment to use the percentage and the absolute amount thresholds as alternatives (instead of being cumulative conditions) may have the opposite effect, bringing into scope again certain operational incidents without a significant impact (even if they have a duration of more than hour). This is especially true for the thresholds used with respect to the criterion “payment service users affected”, which have not been increased in the proposed revised guidelines: while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.
Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
We agree with the inclusion of the new criterion “breach of security measures” provided that thefinal revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident, and not the detection of the incident. That clarification is required to allow for a timely internal assessment of the incident against the guidelines.