Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
However, we remark hereby some points to be further clarified:
• the Article 1.5 foresees that a minimum number of three Level 1 or one Level 2 criteria has to be fulfilled in order to classify an incident as major. We would ask the EBA to provide the rationales that have contributed to the current choice.
• With specific reference to the criteria and underlying indicators, we believe that the qualitative criteria (“High level of internal escalation”, “Other payment service providers or relevant infrastructures potentially affected” and “Reputational Impact”) are PSP-dependent, not easily verifiable and not clearly defined. Therefore, we see that their application can be difficult in order to get a narrow evaluation of the incident’s impact;
• We observe that the escalation process is a bank internal process and, therefore, the “High level of internal escalation” cannot be used to capture some other relevant dimensions indicated in rationale n. 17-e.
Moreover, we believe that a major incident is generally called before the crisis mode. In fact, while as major incident can have significant disruptive effects on the business activity, we assume that during a crisis mode the business activity has been interrupted and a higher level of escalation has been activated.
Basing on this consideration, we suggest revising the Level 2 threshold associated to “High level of internal escalation” criteria in order to address the potential and likely evolution of an incident to a crisis mode. For instance, such threshold can be modified to “Yes, and a crisis mode is likely to be called upon”.
Regarding the proposed template, we agree that the information depicted is sufficient to provide competent authorities with a suitable picture of the incident.
For that reason, we propose to modify the article 2.8 “Payment service providers should send the initial notification to the competent authority within the first 2 hours from the moment the incident was first detected…:” in “Payment service providers should send the initial notification to the competent authority within the first 2 hours from the moment the incident was classified as major…”.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
We believe that the included definitions are sufficiently clear and no further explanations are needed.Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
As a general note, we agree with the proposed methodology for the assessment and classification of an incident as major.However, we remark hereby some points to be further clarified:
• the Article 1.5 foresees that a minimum number of three Level 1 or one Level 2 criteria has to be fulfilled in order to classify an incident as major. We would ask the EBA to provide the rationales that have contributed to the current choice.
• With specific reference to the criteria and underlying indicators, we believe that the qualitative criteria (“High level of internal escalation”, “Other payment service providers or relevant infrastructures potentially affected” and “Reputational Impact”) are PSP-dependent, not easily verifiable and not clearly defined. Therefore, we see that their application can be difficult in order to get a narrow evaluation of the incident’s impact;
• We observe that the escalation process is a bank internal process and, therefore, the “High level of internal escalation” cannot be used to capture some other relevant dimensions indicated in rationale n. 17-e.
Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.
We believe that the use of qualitative and PSP-dependent criteria (e.g. “high level of escalation”) can lead to classify more than those incidents that are currently considered major.Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.
In general, we appreciate the Guidelines are addressing the need to measure the actual size of an incident’s impact by establishing a set of thresholds. In this respect, we see that the adoption of parametric thresholds seems to be more feasible than absolute values, considering that the Federcasse federation includes more than 310 Credit Cooperative Banks (or Banche di Credito Cooperativo – BCCs) with different size, complexity and operational and risk profile. Therefore, a “one-size-fits-all” value is likely to result in unintended or not applicable results.Moreover, we believe that a major incident is generally called before the crisis mode. In fact, while as major incident can have significant disruptive effects on the business activity, we assume that during a crisis mode the business activity has been interrupted and a higher level of escalation has been activated.
Basing on this consideration, we suggest revising the Level 2 threshold associated to “High level of internal escalation” criteria in order to address the potential and likely evolution of an incident to a crisis mode. For instance, such threshold can be modified to “Yes, and a crisis mode is likely to be called upon”.
Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.
We appreciate the fact that the EBA is seeking to get to a homogeneous reporting process by foreseeing the use of a standardized template that will also enable greater comparability and automation in the management of information. However, we underline that currently different overlapping regulations (PSD2, GDPR, NIS) are implementing their own process for the major incident reporting, with different phases, report templates and timeline. We see that payment service providers can be asked to fulfill as many as three reports for the same incident, with likely unintended errors or duplications.Regarding the proposed template, we agree that the information depicted is sufficient to provide competent authorities with a suitable picture of the incident.
Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.
We believe that the instructions provided along with the template are sufficiently clear and helpful, therefore no further integrations are needed.Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.
We believe that the proposed timeline for the initial report (2 hours) can be hardly applied to the Credit Cooperative Banks (or Banche di Credito Cooperativo – BCCs) context, where all of them are full-outsourced on IT service centers. In such scenario, the IT service centers are responsible for incident handling, including incident detection and collection of technical information, while the BCCs are responsible for the incident classification and notification. Each bank has its own business and operating model and such factors has to be taken into account during the impact analysis. Moreover, the BCCs have not generally implemented an internal 24x7 support service, since the monitoring, detection and incident resolution duties has been outsourced. Thus, in case an incident occurs during out-of-business timeframe (such as during the night and week end), it will be promptly detected and managed by the outsourcer, but it could be very challenging to meet the proposed 2 hours for initial notification.For that reason, we propose to modify the article 2.8 “Payment service providers should send the initial notification to the competent authority within the first 2 hours from the moment the incident was first detected…:” in “Payment service providers should send the initial notification to the competent authority within the first 2 hours from the moment the incident was classified as major…”.