Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
We would also like to emphasise that, should the new criterion “breach of security measures” be included (whether at the level of the definition of “operational or security incident” or at the level of the classification of the incident as major) it is important that the final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident (and not the detection of the incident). That clarification is required to allow for a timely internal assessment of the incident against the guidelines.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
Yes. PayBelgium welcomes the increase of the quantitative threshold used for the higher impact level with respect to the criterion “transactions affected” from 5 million to 15 million.Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
We agree that the introduction of the condition that the operational incidents must have a duration of longer than one hour may help to ensure that only operational incidents with a significant impact are being captured by the reporting requirement. At the same time, however, we believe that the proposed amendment to use the percentages and the absolute amount thresholds as alternatives (instead of them being cumulative conditions) may have the opposite effect. It may effectively bring in scope again certain operational incidents without a significant impact, even if they have a duration of more than one hour. Indeed, while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. The same goes for the criterion “transactions affected”, even if the absolute amount threshold were increased to EUR 500,000. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
We support an adaptation of the guidelines to ensure they capture all relevant security incidents. However, we believe that creating an additional criterion “breach of security measures” at the lower impact level may again result in certain non-major incidents being captured by the reporting requirement if an incident continues to be classified as major at the lower impact level as soon as three criteria are met (i.e., in this context, breach of security measures + two other criteria). To filter out security incidents that are not major, rather than creating a separate criterion “breach of security measures” for the classification as major, we would suggest to amend the definition of “operational or security incident” to clarify that it will in any event cover situations where there is a breach of security measures. In order for that incident to be qualified as major and, hence, subject to the reporting requirement, it would then still need to meet three criteria at the lower impact level.We would also like to emphasise that, should the new criterion “breach of security measures” be included (whether at the level of the definition of “operational or security incident” or at the level of the classification of the incident as major) it is important that the final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident (and not the detection of the incident). That clarification is required to allow for a timely internal assessment of the incident against the guidelines.