Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
Based on PSD2 it is difficult to interpret what information is expressly meant in this definition. The definition (or recitals of it) should give guidance what information etc. is subject to this specific definition.
EBA should consider aligning the definitions with other market definitions already in place, e.g. ENISA.
Transactions affected – the definition of transaction is not clear, does it include actual transactions that have been affected or the possibility to do transactions?
Service downtime – it is unclear if this includes only systems that are completely in-accessible or only partly inaccessible.
There should be a clear reference to Annex 1 of the PSD2. Expressions “business ac-tivity” and “all the technical supporting tasks for…” are vague and should be limited only PSP’s internal (or subcontractors if relevant) necessary services directly required to the production of the Payment service.
“Events which have or may have a material adverse impact” needs to be defined, it is not clear what “may have” means.
Reputational impact is very wide and can be difficult to determine based on all these examples.
Information on incidents should also be shared between different financial institutions, to prevent similar incidents in a proactive way.
Nordea finds it unclear how to calculate affected number of customers. Assume more than 25% of the banks customers use netbank. When the netbank is down does this then automatically trigger reporting in accordance with criteria level 2?
Nordea assumes that it will be possible to leave some fields uncommented in the re-porting template. Further clarification is needed for which information should be in-cluded in the “initial”, “intermediate” and “final” report.
Should this template be used also for the initial reporting, and if so which parts should be used for the initial report? Some guidance for the initial reporting is appreciated.
2 weeks to provide final report is too short, it often requires more than 2 weeks to do a thorough root cause analysis.
The full economic impact will be difficult to collect within 2 weeks, therefore Nordea assumes that a justified estimation of the impact will be sufficient for this report.
With some amendment the consolidated reporting procedure proposed in the draft guidelines may create useful framework for the incident reporting procedures. To gain full benefits of the reporting procedure Nordea considers it important to agree on harmonized notification procedures also between different authorities/supervisors to reduce overlapping notifications & different templates depending on which authority to notify.
Example. Potential incident in strong electronic authentication in Payment Services in Finnish Nordea branch requires; PSD2 Notification to home country FSA (Sweden), eIDAS based notification to FICORA (Finnish communication regulatory authority), Finnish Data Ombudsman and to Finnish FSA. These should be possible to notify with one uniform template.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
Nordea suggests that the definitions refer to the Annex 1 of the PSD2 more clearly.Based on PSD2 it is difficult to interpret what information is expressly meant in this definition. The definition (or recitals of it) should give guidance what information etc. is subject to this specific definition.
EBA should consider aligning the definitions with other market definitions already in place, e.g. ENISA.
Transactions affected – the definition of transaction is not clear, does it include actual transactions that have been affected or the possibility to do transactions?
Service downtime – it is unclear if this includes only systems that are completely in-accessible or only partly inaccessible.
There should be a clear reference to Annex 1 of the PSD2. Expressions “business ac-tivity” and “all the technical supporting tasks for…” are vague and should be limited only PSP’s internal (or subcontractors if relevant) necessary services directly required to the production of the Payment service.
“Events which have or may have a material adverse impact” needs to be defined, it is not clear what “may have” means.
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
High level of internal escalation – Chief Information Officer (or similar) is a strange definition, it is presumably different in each PSP what they consider to be high escala-tion and it is perhaps also related to what level of crisis teams that have been activated. Or will it be required by all PSPs to have a designated CIO?Reputational impact is very wide and can be difficult to determine based on all these examples.
Information on incidents should also be shared between different financial institutions, to prevent similar incidents in a proactive way.
Nordea finds it unclear how to calculate affected number of customers. Assume more than 25% of the banks customers use netbank. When the netbank is down does this then automatically trigger reporting in accordance with criteria level 2?
Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.
Based on the incidents reported to FSAs during 2016 it seems to be quite aligned with what is already being reported, so based on this it should be either the same or more.Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.
Nordea proposes the EBA to remove the threshold of number of clients affected in Level 1 (5000) and keep only the threshold of 10% as 5000 is very low for large banks (may not qualify as “major”).Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.
To prevent overburdening PSPs with several different reporting requirements, EBA should consider aligning with requirements of the GDPR, in case of a data breach.Nordea assumes that it will be possible to leave some fields uncommented in the re-porting template. Further clarification is needed for which information should be in-cluded in the “initial”, “intermediate” and “final” report.
Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.
In line with answers to question 1 and 2.Should this template be used also for the initial reporting, and if so which parts should be used for the initial report? Some guidance for the initial reporting is appreciated.
Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.
For the initial reporting most facts will not be known and it will be guesstimates on the criteria and potential impacts.2 weeks to provide final report is too short, it often requires more than 2 weeks to do a thorough root cause analysis.
The full economic impact will be difficult to collect within 2 weeks, therefore Nordea assumes that a justified estimation of the impact will be sufficient for this report.
Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.
It’s probably not likely that Nordea will delegate the reporting, but there is a rationale that a third party can undertake the incident reporting (as this will reduce burden on small PSPs and ensure that the reporting third party develop more experience in han-dling incident reporting). Such conditions allowing TPPs undertaking reporting, must be very clear, and must ensure that the TPP is past a critical size and that it’s proce-dures for incident reporting have been reviewed and are monitored regularly (or re-viewed and tested?)).Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.
Nordea brings out that PSPs are obliged to comply with several different incident re-porting requirements. Due to number of different authorities involved, the notification procedures are fragmented and partly overlapping. In addition to variation in local regulations also Implementation of general data protection regulation, NIS directive and eIDAS regulation will increase notification requirements fundamentally.With some amendment the consolidated reporting procedure proposed in the draft guidelines may create useful framework for the incident reporting procedures. To gain full benefits of the reporting procedure Nordea considers it important to agree on harmonized notification procedures also between different authorities/supervisors to reduce overlapping notifications & different templates depending on which authority to notify.
Example. Potential incident in strong electronic authentication in Payment Services in Finnish Nordea branch requires; PSD2 Notification to home country FSA (Sweden), eIDAS based notification to FICORA (Finnish communication regulatory authority), Finnish Data Ombudsman and to Finnish FSA. These should be possible to notify with one uniform template.