Response to consultation on Guidelines on major incidents reporting under PSD2

Go back

Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?

Most definitions are sufficiently clear. Nevertheless, it is not clear whether “near miss incidents” are included in the definition of “Major operational or security incidents”. Furthermore, it is not clear whether the abovementioned definition also includes incidents that have a potential loss.

Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?

No. Since Reputational Impact it is difficult to quantify, we suggest that the relevant paragraph outlined in page 25, should end up with the following sentence: “In case PSPs are not able to assess the Reputational Impact based on the above parameters, they should justify their answers based on their own internal procedures (e.g. materiality matrix, if present)”. Furthermore, the criteria concerning ‘’transactions affected’’ and “clients affected’ should be further clarified in order to explain how to assess and calculate affected transactions and customers.

Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.

Τhe methodology will capture less than those incidents that are currently considered major due to the smaller size and the limited thresholds currently used by the Cypriot Banking sector.

Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.

We do not propose any changes for the said thresholds.

Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.

We think its sufficient.

Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.

We consider the instructions clear and helpful.

Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.

We consider the two-hour deadline for submitting the Initial Report too short bearing in mind that in the case of an incident, PSP’s main concern will be to remedy rather than report. We hence suggest the deadline to be extended to six hours, so as allow a satisfactory time span to remedy, communicate and report.

Furthermore, we suggest the two-week deadline for submitting the Final Report to be extended to four weeks because, although the service may recover, the information gathering for the completeness of the investigation might take longer due to the fact that many stakeholders might be involved.

Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

Bearing in mind that the delegated reporting procedure is optional and that it will only be exercised upon PSPs own will, we consider that it will it add value in terms of cost efficiency and better time management.

Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

It will add value in terms of cost efficiency and better time management.

Name of organisation

ASSOCIATION OF CYPRUS BANKS