Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
• The guidelines include an explanation as to the benefits of the collection of the information in the reports and how the data will be assessed and used.
• The introduction should make clear that reporting to the home member state competent authority does not negate any other obligation to report to other authorities (for example, the Information Commissioner’s Office in the UK).
• It would be helpful to provide an explanation of the economic impact thresholds in level 2.
• It would be helpful to confirm (if it is the case) that the final report is, indeed, the final report and that even if the report has had to be submitted ahead of the identification of the final root cause, no further report is expected.
One of the criteria, namely Reputational impact" suggests that a PSP should anticipate whether a potential incident would be high profile or not. This could be nearly impossible to predict, and could lead to a danger of PSPs disproportionately looking for incidents with the potential to create media attention, rather than looking at this criterion in line with the other quantitative factors. Perhaps more detail is needed around this criterion."
We recommend that the template is amended to indicate the minimum level of detail needed depending on the type of the report. For example, a PSP may be confused as to the level of detail they need to provide on the actual template for an initial report, as it currently stands there is a data field asking the PSP whether or not there have been any previous reports on the same issue, or whether this is the final report. Some indicator of the level of detail needed on the actual template corresponding to the type of report being submitted would aid in the efficiency of the process.
We anticipate that the timeframe that will cause most difficulty will be the limit of three business days to update the intermediate report. This is because additional information may take longer to acquire, particularly if a criterion such as service downtime turns out to be longer than two hours, resulting in a delay in information gathering.
We propose extending the intermediate deadline from three business days to five business days to reflect these potential difficulties.
The requirement to inform the competent authority of the outsourced relationship will provide an opportunity for PSPs to consider and make firm arrangements with the third party for such a contingency.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
In general, we consider the definitions in the draft guidelines to be relatively clear and straightforward. However, we recommend that the following additions/clarifications be made.• The guidelines include an explanation as to the benefits of the collection of the information in the reports and how the data will be assessed and used.
• The introduction should make clear that reporting to the home member state competent authority does not negate any other obligation to report to other authorities (for example, the Information Commissioner’s Office in the UK).
• It would be helpful to provide an explanation of the economic impact thresholds in level 2.
• It would be helpful to confirm (if it is the case) that the final report is, indeed, the final report and that even if the report has had to be submitted ahead of the identification of the final root cause, no further report is expected.
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
As noted above, we believe the economic impact threshold in level 2 could be more clearly defined or explained.One of the criteria, namely Reputational impact" suggests that a PSP should anticipate whether a potential incident would be high profile or not. This could be nearly impossible to predict, and could lead to a danger of PSPs disproportionately looking for incidents with the potential to create media attention, rather than looking at this criterion in line with the other quantitative factors. Perhaps more detail is needed around this criterion."
Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.
We expect the quality and comparability of the reporting will be enhanced. However, the qualitative nature of the level 1 thresholds carries the risk that PSPs may over or under report, depending on the nature of the PSP and the attitude of staff.Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.
We recommend adding more detail to the reputational impact and high level of internal escalation criteria.Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.
We consider the information within Annex 1 to be comprehensive enough to give the competent authorities a satisfactory overall picture of the incident.We recommend that the template is amended to indicate the minimum level of detail needed depending on the type of the report. For example, a PSP may be confused as to the level of detail they need to provide on the actual template for an initial report, as it currently stands there is a data field asking the PSP whether or not there have been any previous reports on the same issue, or whether this is the final report. Some indicator of the level of detail needed on the actual template corresponding to the type of report being submitted would aid in the efficiency of the process.
Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.
The instructions are quite clear and should not cause the PSP confusion. However, it would be helpful to include more detailed instructions around the differences between an initial, intermediate and final report.Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.
We consider the deadline of two hours for an initial report to be feasible, as there is only a low level of detail required. The deadline in relation to the final report is made feasible by not requiring the root cause analysis and corrective measures to be included in the report within the two- week deadline.We anticipate that the timeframe that will cause most difficulty will be the limit of three business days to update the intermediate report. This is because additional information may take longer to acquire, particularly if a criterion such as service downtime turns out to be longer than two hours, resulting in a delay in information gathering.
We propose extending the intermediate deadline from three business days to five business days to reflect these potential difficulties.
Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.
The delegated reporting procedure adds value by allowing the business to employ extra resource as needed in order to fulfil the obligation within what will be a very busy and focused timeframe.The requirement to inform the competent authority of the outsourced relationship will provide an opportunity for PSPs to consider and make firm arrangements with the third party for such a contingency.