Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?
Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?
The EBA Guidelines on major incident reporting (‘the EBA Guidelines’) define a major operational or security incidents as “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment related services”.
The EBA Guidelines define payment-related services as any business activity in the meaning of Article 4(3) of PSD2, and all the necessary technical supporting tasks for the correct provision of payment services.
The ECB’s “Guide for the assessment of card payment schemes against the oversight standards (February 2015)” (the “ECB Guidelines”) appear to contain rules regarding the reporting of major incidents in the context of card payment schemes and the classification of incidents as major. The ECB Guidelines define card payment schemes as functions, procedures, rules and devices that enable a holder of a payment card to effect a payment and/or cash withdrawal transaction with a third party other than a card issuer.
The scope of application set out in the EBA Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10), applies to all incidents included under the definition of ‘major operational or security incident’, which covers both external and internal events that could be either malicious or accidental. These Guidelines apply also where the major operational or security incident originates outside the Union (e.g. when an incident originates in the parent company or in a subsidiary established outside the Union) and affects the payment services provided by a payment service provider located in the Union either directly or indirectly (the capacity of the payment service provider to keep carrying out its payment activity is jeopardised in some other way as a result of the incident).
Therefore, Payment Service Providers (PSPs) are required to report those operational and security incidents that they assess as major using the criteria, indicators and thresholds set out in the Guidelines, regardless on whether the cause of the major incident is outside the control of the PSP and/or the updates on the major incident are dependent on information provided by a third party.
As a reminder in accordance with Guideline 3 of these Guidelines, payment service providers may delegate their reporting duties to a third party in compliance with the therein delegation requirements and may allow the designated third party to fulfil the reporting obligations in a consolidated way in compliance with the conditions set out therein.