Response to consultation on Guidelines on major incidents reporting under PSD2

Go back

Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?

“payment related services”
The definition of payment related services, is very wide and it should be limited to only those “technical supporting tasks” which failure would affect failure of payment services .

“major operational or security incident”
We think that definition of a ‘major operational or security incident’ (‘A singular event or a series of linked events which have or may have a material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services’) should not include events which may have only potentially negative impact on the provided payment services. Otherwise the payment service providers will have to face the fact that any events which may cause the actual incident will have to be reported to the relevant authority as the actual incident (despite the fact that the negative impact on payment services will be only potential).

Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?

In our view Reputational impact shouldn’t be consider as a criterion for assessing the materiality of an operational or security incident. Reputation is a very blurry category, with a lot of uncertainty how to measure the potential impact to reputation.
Additionally we believe that “High level of internal escalation” and “crisis mode” may have a negative impact at the PSPs internal communication processes. It is easy to imagine that such a criterion might create the culture in which reporting are discourage.

Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.

An obligation to report an incident within the first 2 hours from the moment the incident was first detected makes it almost impossible to fulfil. Reporting template is very detailed (with questions like What is the specific issue? - How it happened? - How did it evolve?). Payments service providers should focus on the incident itself, not on reporting, from compliance perspective the most important task is to handle incident and then when everything is on the right track prepare necessary reporting, lesson learnt , etc.

Name of organisation