Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
Major operational or security incident – strengthening of this definition should be considered basing on the statement from Rationale 18 which describes the classification of major incidents as having a significant disruptive effects on business activity. According to that the incident definition should take into account the significance of a material/immaterial adverse impact.
Authenticity – present definition seems rather vague; we would suggest to consider putting an emphasis on verification: ‘property of the source being able to verify its identity’.
Confidentiality – definition should relate to payment related services like other definitions and be changed to: ‘property that information concerning payment-related services…’
Continuity – the term ‘acceptable predefined levels’ is not precise enough for the purpose of assuring the proper recovery from the incident, should be more prescriptive.
The assessment undertaken by each PSP basing on the scope of last two criteria on the list in guideline 1 (‘other payment service providers or relevant infrastructures potentially affected’ and ‘reputational impact’) should determine the influence of the identified incident that occurred in any particular organization not only on this PSP itself but also on other PSP’s or even the whole financial market.
Such approach seems to be too excessive considering potential limited resources of a particular service provider to conduct such assessment, especially in case of smaller organizations. Also, there are no indications further in the content of Guideline whether it should be perceived as an obligation or rather an expectancy that such assessment would be performed. We would strongly suggest for this demand to be non-obligatory but rather voluntary (considering a certain PSP possess appropriate information and share it with a proper authority) or at least based on the ‘comply or explain’ rule giving to any payment service provider an opportunity to express its willingness and abilities to undergo such procedure.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
According to the question considering the definitions included in the draft we would like to add few amendments stated below:Major operational or security incident – strengthening of this definition should be considered basing on the statement from Rationale 18 which describes the classification of major incidents as having a significant disruptive effects on business activity. According to that the incident definition should take into account the significance of a material/immaterial adverse impact.
Authenticity – present definition seems rather vague; we would suggest to consider putting an emphasis on verification: ‘property of the source being able to verify its identity’.
Confidentiality – definition should relate to payment related services like other definitions and be changed to: ‘property that information concerning payment-related services…’
Continuity – the term ‘acceptable predefined levels’ is not precise enough for the purpose of assuring the proper recovery from the incident, should be more prescriptive.
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
General remarks concerning incident classification:The assessment undertaken by each PSP basing on the scope of last two criteria on the list in guideline 1 (‘other payment service providers or relevant infrastructures potentially affected’ and ‘reputational impact’) should determine the influence of the identified incident that occurred in any particular organization not only on this PSP itself but also on other PSP’s or even the whole financial market.
Such approach seems to be too excessive considering potential limited resources of a particular service provider to conduct such assessment, especially in case of smaller organizations. Also, there are no indications further in the content of Guideline whether it should be perceived as an obligation or rather an expectancy that such assessment would be performed. We would strongly suggest for this demand to be non-obligatory but rather voluntary (considering a certain PSP possess appropriate information and share it with a proper authority) or at least based on the ‘comply or explain’ rule giving to any payment service provider an opportunity to express its willingness and abilities to undergo such procedure.