Response to consultation on Guidelines on major incidents reporting under PSD2

Go back

Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?

Yes

Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?

Yes

Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.

Yes it is our assessment that the methodology captures all of the incidents. The criteria for classifying an incident as major are in line with Nets current criteria.

Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.

No

Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.

Trigger- vs. root cause
Our understanding of the section ‘4 – Incident description, subsection “Cause of incident’’ is, that it is the trigger cause of the incident that is asked for and not the root cause since that is addressed in section 8.

Recommendation: Change “Cause of incident” to “Trigger cause of incident” to define more clearly what information is requested in this section.

Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.

We suggest more clear instructions, preferably with examples to illustrate.

Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.

Initial report outside of regular business hours

Recommendation: Only send the report if the recipient of the Incident report has an on-duty resource required to initiate actions/chain of communication immediately after receiving the report (24/7). Otherwise sending the report outside of regular business hours should be postponed until the next day (start of business).

Comment: Our assumption is that the Initial report only contains the fields that are marked as mandatory, because the on-duty personnel will focus on solving the incident rather than reporting.

Deadlines for Initial within regular business hours, intermediate and final report are feasible.

Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

It is not our impression that it is normal reporting procedure.

Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

Yes - the procedure is aligned with normal business setup and allows a 3rd party reporting on behalf of others, thus being more efficient, increasing quality and timely response.

Name of organisation

Nets Denmark A/S