Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
Our understanding of the section ‘4 – Incident description, subsection “Cause of incident’’ is, that it is the trigger cause of the incident that is asked for and not the root cause since that is addressed in section 8.
Recommendation: Change “Cause of incident” to “Trigger cause of incident” to define more clearly what information is requested in this section.
Recommendation: Only send the report if the recipient of the Incident report has an on-duty resource required to initiate actions/chain of communication immediately after receiving the report (24/7). Otherwise sending the report outside of regular business hours should be postponed until the next day (start of business).
Comment: Our assumption is that the Initial report only contains the fields that are marked as mandatory, because the on-duty personnel will focus on solving the incident rather than reporting.
Deadlines for Initial within regular business hours, intermediate and final report are feasible.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
YesQuestion 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
YesQuestion 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.
Yes it is our assessment that the methodology captures all of the incidents. The criteria for classifying an incident as major are in line with Nets current criteria.Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.
NoQuestion 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.
Trigger- vs. root causeOur understanding of the section ‘4 – Incident description, subsection “Cause of incident’’ is, that it is the trigger cause of the incident that is asked for and not the root cause since that is addressed in section 8.
Recommendation: Change “Cause of incident” to “Trigger cause of incident” to define more clearly what information is requested in this section.
Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.
We suggest more clear instructions, preferably with examples to illustrate.Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.
Initial report outside of regular business hoursRecommendation: Only send the report if the recipient of the Incident report has an on-duty resource required to initiate actions/chain of communication immediately after receiving the report (24/7). Otherwise sending the report outside of regular business hours should be postponed until the next day (start of business).
Comment: Our assumption is that the Initial report only contains the fields that are marked as mandatory, because the on-duty personnel will focus on solving the incident rather than reporting.
Deadlines for Initial within regular business hours, intermediate and final report are feasible.