Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
With regards to the additionally proposed amendment to the assessment of the lower impact level of both the ‘Transactions affected’ criterion and the ‘Payment service users affected’ criterion, we suggest the following: Firstly, we agree with the adding of a condition that the incident must have a certain duration. Secondly, we rather suggest instead of an one hour duration a two hours duration. Thirdly, in the case of such a conditioning both lower impact level for the both criterions ‘Transactions affected’ and ‘Payment service users affected’ that an incident must have a duration longer than two hours, we propose a deletion of the ‘Service downtime’ criterion in order to reduce unnecessary complexity to the reporting procedure. This is justified, as the amendment of the duration condition is described as an impact related to the inability of the PSP to initiate and/or process transactions, which is at last comparable to the definition of ‘Service downtime’ according to GL 1.3 no. 3 (although, as stated in the Consultation Paper, it should be seen as different from the criterion ‘Service downtime’). And as the ‘Service downtime’ criterion is only applicable for purposes of the lower impact level, this would lead to a more focussed application of the criterions ‘Transactions affected’ and ‘Payment service users affected’.
Furthermore, the proposed simplifications of the incident reporting process are warmly welcomed: especially the removed obligation for PSPs to provide updates to the intermediate reports every 3 working days (GL 2.14) and the extended deadline for the submission of the final report from 2 weeks to 20 working days (GL 2.18). The clarification that the 4-hour deadline for submission of the initial report as required under Guideline 2.7 applies from the moment of classification of the incident and not the detection of the incident is acknowledged (GL 2.16).
Regarding the new Guideline 3.6, it is understandable that a clarification that each PSP should ensure that, when an incident is caused by a disruption in the services provided by a technical service provider or an infrastructure that affects multiple PSPs, the delegated reporting should refer to the individual data of the PSP, except in the case of a consolidated reporting. As the clarification was introduced in Guideline 3 on “Delegated and consolidated reporting”, it may stay unclear because of the context of the Guideline that also incidents arising from a central infrastructure side are also covered by the reporting obligation of every single affected PSP. Therefore, a further clarification that each PSP should ensure that, when an incident is caused by a disruption in the services provided by an infrastructure, could also be introduced in the section on the scope of application of the Guidelines, perhaps best as amendment to its number 10 stating that the Guidelines overall apply to those incidents which are both covered by external and internal events.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
The increase of the respective threshold from 5 million to 15 million EUR criterion ‘Transactions affected’ in the higher impact level as proposed by EBA is acceptable.Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
The increase of the absolute threshold of the criterion ‘Transactions affected’ in the lower impact level from 100 000 EUR to 500 000 EUR as proposed by EBA is acceptable, as it is also consistent with the increase of the threshold in the higher impact level.With regards to the additionally proposed amendment to the assessment of the lower impact level of both the ‘Transactions affected’ criterion and the ‘Payment service users affected’ criterion, we suggest the following: Firstly, we agree with the adding of a condition that the incident must have a certain duration. Secondly, we rather suggest instead of an one hour duration a two hours duration. Thirdly, in the case of such a conditioning both lower impact level for the both criterions ‘Transactions affected’ and ‘Payment service users affected’ that an incident must have a duration longer than two hours, we propose a deletion of the ‘Service downtime’ criterion in order to reduce unnecessary complexity to the reporting procedure. This is justified, as the amendment of the duration condition is described as an impact related to the inability of the PSP to initiate and/or process transactions, which is at last comparable to the definition of ‘Service downtime’ according to GL 1.3 no. 3 (although, as stated in the Consultation Paper, it should be seen as different from the criterion ‘Service downtime’). And as the ‘Service downtime’ criterion is only applicable for purposes of the lower impact level, this would lead to a more focussed application of the criterions ‘Transactions affected’ and ‘Payment service users affected’.
Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
No comment.Q4. Do you agree with the proposed changes to the Guidelines aimed at addressing the deficiencies in the reporting process?
In relation to the introduction of a standardised file containing the templates in the Annex to the Guidelines and this template to be made publicly available by the EBA on its website, this is to be welcomed as it may enhance the compiling of reports within cross-border groups of PSPs if this template will be accepted by all NCAs of the Member States. But there should be a further amendment to GL 2.1 stating that it is alternatively possible for PSPs to use web forms in the case such a reporting line is also offered by an NCA. It may be the case that certain institutions rather prefer to manually compile the report.Furthermore, the proposed simplifications of the incident reporting process are warmly welcomed: especially the removed obligation for PSPs to provide updates to the intermediate reports every 3 working days (GL 2.14) and the extended deadline for the submission of the final report from 2 weeks to 20 working days (GL 2.18). The clarification that the 4-hour deadline for submission of the initial report as required under Guideline 2.7 applies from the moment of classification of the incident and not the detection of the incident is acknowledged (GL 2.16).
Regarding the new Guideline 3.6, it is understandable that a clarification that each PSP should ensure that, when an incident is caused by a disruption in the services provided by a technical service provider or an infrastructure that affects multiple PSPs, the delegated reporting should refer to the individual data of the PSP, except in the case of a consolidated reporting. As the clarification was introduced in Guideline 3 on “Delegated and consolidated reporting”, it may stay unclear because of the context of the Guideline that also incidents arising from a central infrastructure side are also covered by the reporting obligation of every single affected PSP. Therefore, a further clarification that each PSP should ensure that, when an incident is caused by a disruption in the services provided by an infrastructure, could also be introduced in the section on the scope of application of the Guidelines, perhaps best as amendment to its number 10 stating that the Guidelines overall apply to those incidents which are both covered by external and internal events.