Primary tabs

European FinTech Association a.s.b.l.

Yes, the European FinTech Association (EFA) welcomes the increase of the quantitative threshold used for the higher impact level with respect to the criterion “transactions affected” from 5 million to 15 million.
We agree that the introduction of the condition that the operational incidents must have a duration of longer than one hour may help ensure that only operational incidents with a significant impact are being captured by the reporting requirement.

At the same time, however, the proposed amendment to use the percentage and the absolute amount thresholds as alternatives (instead of being cumulative conditions) may have the opposite effect, bringing into scope again certain operational incidents without a significant impact (even if they have a duration of more than hour). This is especially true for the thresholds used with respect to the criterion “payment service users affected”, which have not been increased in the proposed revised guidelines: while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.
We agree with the inclusion of the new criterion “breach of security measures” provided that the
final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident, and not the detection of the incident. That clarification is required to allow for a timely internal assessment of the incident against the guidelines.
Yes, we agree with those proposed changes.
Yes, we support the introduction of a standardised file for submission of incident reports. In terms of type of structured file format, there is a preference among our members for MS Excel.
Yes, we agree with those proposed changes.
We generally agree with the proposed changes. However, with respect to the categorisation of the causes of incidents and in particular the category “malicious action” , we are of the view that the sub-category “fraud”, as it is currently defined, may overlap with other sub-categories of malicious action. For instance, phishing (currently included in the definition of fraud) could also be said to fall within the sub-category “information gathering”. We would therefore suggest to refine the definition of fraud so as to make it clear that the sub-category refers to fraud in a strict sense, i.e. an unauthorised use (e.g. unauthorised use of resources, copyright infringements) rather than to an activity that could be said to also fall within another sub-category (e.g. phishing).