Response to consultation on Guidelines on major incidents reporting under PSD2

Go back

Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?

No, do you are thinking about scheduled events with impact on availability, for example, as an operational accident? or if not available electricity in large parts of the country? or will not be available on the Internet en masse? or at the time of floods or other natural disasters? Or are only incidents that result from the malfunctioning of PSP systems?

Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?

Q2: Affected by the transaction - to clarify the term regular transaction level" (this is a day on average, monthly average...?)"

Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.

Q3 - Yes, Criterion More PSP may be affected" will mostly be met in the case of events with impact on availability (default yes). Depending on the size of banks and the organizational structure, there are different criteria for internal escalation, so that the criterion of "high level of internal escalation" will default to Yes for small banks."

Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.

Q4: Delete the level of internal escalation" criteria. This is not quantifiable aspect and can vary from one bank to another for various reasons, and therefore is not an objective indicator of the impact of the incident."

Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.


Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.

Q6:Basically yes, but we need to clarify the identification data for PSP (eg. identification number, Authorisation number, Head of group)

Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.

Q7: It is not clear why it should be reported to the same event min. three times and always comprehensive background information. This approach would increase the administrative burden and potential benefits for the users of payment services, payment service providers and authorities that are described and justified in the draft guidelines conclusively. Two-tier system with the first initial report containing only the basic vital information and other comprehensive report sent after the incident is resolved, it seems reasonable. The proposed solution would not affect the powers of the competent authorities to request additional information at any time when it would be necessary to act in an individual case.
Q7 - No, the initial notification should be sent within two hours of the accident was first discovered, but determining certain criteria present limits, approval from the responsible person, filling out report so timely handling of the incident will take some time. Reasonable period of time eg. 2 hours from the decision that the event is serious or meets three or more Level 1 criteria (or 1 or more from level 2). Same time is reasonable for reporting status changes, currently it is immediately"."

Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.


Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

Q9: We believe that the added value for the bank market would be also information about cybercrime attacks like: Botnet,, Copyright, Crack, DoS DDoS attack, Malware, Pharming, Phishing, Scan port, Probe, Spam, Trojan, Ransomware, Virus.

Name of organisation

Czech Banking Association (CBA)