Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
As stated in recital 12 of the draft with regards to international banking groups, each affected payment service provider shall submit incident notifications to the competent authority in the Member State where they have been granted authorisation. Concerning the above-mentioned branches, this should mean the following:
• In the case of a branch of a credit institution whose head office is located within the Union, the competent authority to which the incident notifications shall be sent to is the one of that Member State where the (EU) head office is located.
• In the case of a branch of a credit institution whose head office in located outside the Union (in accordance with Article 47 of Directive 2013/36/EU and with national law) the competent authority to which the incident notifications shall be sent to is the one of that Member State where the branch is located.
Therefore, we recommend to include this differentiation in relation of branches in their role as PSP.
Furthermore, it should be clarified if customers are defined in their capacity as payment account holders.
Regarding the threshold in relation to the clients affected, it should be clarified if the given percentage of customers has to be estimated in relation to the (whole) PSP, i.e. on entity level inclusive all customers in other Member States, or in relation to each Member State where a branch is established.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
The treatment of branches of PSPs in other Member States than the Home Member State is not included in the definitions. As stated in Art. 1 No. 1 lit. a of Directive (EU) 2015/2366 (PSD II), not only credit institutions (themselves) qualify as payment service providers, but also their respective branches. The Directive sees here two cases: the case of branches of a credit institution whose head office is located within the Union and also the case of branches of a credit institution whose head office in located outside the Union (in accordance with Article 47 of Directive 2013/36/EU and with national law).As stated in recital 12 of the draft with regards to international banking groups, each affected payment service provider shall submit incident notifications to the competent authority in the Member State where they have been granted authorisation. Concerning the above-mentioned branches, this should mean the following:
• In the case of a branch of a credit institution whose head office is located within the Union, the competent authority to which the incident notifications shall be sent to is the one of that Member State where the (EU) head office is located.
• In the case of a branch of a credit institution whose head office in located outside the Union (in accordance with Article 47 of Directive 2013/36/EU and with national law) the competent authority to which the incident notifications shall be sent to is the one of that Member State where the branch is located.
Therefore, we recommend to include this differentiation in relation of branches in their role as PSP.
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
It should be clarified if there are any differences to be made in relation of the kind of customers affected by an incident, for example between retail and corporate customers.Furthermore, it should be clarified if customers are defined in their capacity as payment account holders.
Regarding the threshold in relation to the clients affected, it should be clarified if the given percentage of customers has to be estimated in relation to the (whole) PSP, i.e. on entity level inclusive all customers in other Member States, or in relation to each Member State where a branch is established.