Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2

Go back

Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?

Yes. PayBelgium welcomes the increase of the quantitative threshold used for the higher impact level with respect to the criterion “transactions affected” from 5 million to 15 million.

Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?

We agree that the introduction of the condition that the operational incidents must have a duration of longer than one hour may help to ensure that only operational incidents with a significant impact are being captured by the reporting requirement. At the same time, however, we believe that the proposed amendment to use the percentages and the absolute amount thresholds as alternatives (instead of them being cumulative conditions) may have the opposite effect. It may effectively bring in scope again certain operational incidents without a significant impact, even if they have a duration of more than one hour. Indeed, while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. The same goes for the criterion “transactions affected”, even if the absolute amount threshold were increased to EUR 500,000. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.

Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?

We support an adaptation of the guidelines to ensure they capture all relevant security incidents. However, we believe that creating an additional criterion “breach of security measures” at the lower impact level may again result in certain non-major incidents being captured by the reporting requirement if an incident continues to be classified as major at the lower impact level as soon as three criteria are met (i.e., in this context, breach of security measures + two other criteria). To filter out security incidents that are not major, rather than creating a separate criterion “breach of security measures” for the classification as major, we would suggest to amend the definition of “operational or security incident” to clarify that it will in any event cover situations where there is a breach of security measures. In order for that incident to be qualified as major and, hence, subject to the reporting requirement, it would then still need to meet three criteria at the lower impact level.

We would also like to emphasise that, should the new criterion “breach of security measures” be included (whether at the level of the definition of “operational or security incident” or at the level of the classification of the incident as major) it is important that the final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident (and not the detection of the incident). That clarification is required to allow for a timely internal assessment of the incident against the guidelines.

Q4. Do you agree with the proposed changes to the Guidelines aimed at addressing the deficiencies in the reporting process?

Yes, we agree with those proposed changes.

Q5. Do you support the introduction of a standardised file for submission of incident reports from payment service providers to national competent authorities? If so, what type of structured file format would you support (e.g. “MS Excel”, “xbrl”, “xml”) and why?

Yes, we support the introduction of a standardised file for submission of incident reports. In terms of type of structured file format, there is a preference among our members for MS Excel.

Q6. Do you agree with the proposed changes to Guidelines 2.4, 2.7, 2.12, 2.14, and 2.18 that are aimed at simplifying the process of reporting major incidents under PSD2?

Yes, we agree with those proposed changes.

Q7. Do you agree with the proposed changes to the templates in the Annex to the Guidelines?

We generally agree with the proposed changes. However, with respect to the categorisation of the causes of incidents and in particular the category “malicious action” , we are of the view that the sub-category “fraud”, as it is currently defined, may overlap with other sub-categories of malicious action. For instance, phishing (currently included in the definition of fraud) could also be said to fall within the sub-category “information gathering”. We would therefore suggest to refine the definition of fraud so as to make it clear that the sub-category refers to fraud in a strict sense, i.e. an unauthorised use (e.g. unauthorised use of resources, copyright infringements) rather than to an activity that could be said to also fall within another sub-category (e.g. phishing).

Name of the organization

PayBelgium

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre