Primary tabs

Czech Banking Association (CBA)

No, do you are thinking about scheduled events with impact on availability, for example, as an operational accident? or if not available electricity in large parts of the country? or will not be available on the Internet en masse? or at the time of floods or other natural disasters? Or are only incidents that result from the malfunctioning of PSP systems?
Q2: Affected by the transaction - to clarify the term regular transaction level" (this is a day on average, monthly average...?)"
Q3 - Yes, Criterion More PSP may be affected" will mostly be met in the case of events with impact on availability (default yes). Depending on the size of banks and the organizational structure, there are different criteria for internal escalation, so that the criterion of "high level of internal escalation" will default to Yes for small banks."
Q4: Delete the level of internal escalation" criteria. This is not quantifiable aspect and can vary from one bank to another for various reasons, and therefore is not an objective indicator of the impact of the incident."
Q6:Basically yes, but we need to clarify the identification data for PSP (eg. identification number, Authorisation number, Head of group)
Q7: It is not clear why it should be reported to the same event min. three times and always comprehensive background information. This approach would increase the administrative burden and potential benefits for the users of payment services, payment service providers and authorities that are described and justified in the draft guidelines conclusively. Two-tier system with the first initial report containing only the basic vital information and other comprehensive report sent after the incident is resolved, it seems reasonable. The proposed solution would not affect the powers of the competent authorities to request additional information at any time when it would be necessary to act in an individual case.
Q7 - No, the initial notification should be sent within two hours of the accident was first discovered, but determining certain criteria present limits, approval from the responsible person, filling out report so timely handling of the incident will take some time. Reasonable period of time eg. 2 hours from the decision that the event is serious or meets three or more Level 1 criteria (or 1 or more from level 2). Same time is reasonable for reporting status changes, currently it is immediately"."
Q9: We believe that the added value for the bank market would be also information about cybercrime attacks like: Botnet,, Copyright, Crack, DoS DDoS attack, Malware, Pharming, Phishing, Scan port, Probe, Spam, Trojan, Ransomware, Virus.
Sylva Kynychová (responsible for collecting and sent banks comments