The question refers to the case that an incident with a duration of two hours that disrupts transaction processing occurs around the daily cut off time of same-day transactions processing. Thus, the incident may be of a short duration, but as a result, transactions are booked one day later.
Considering this example, what service downtime should the payment service provider (PSP) indicate in the PSD2 notification? Just the net time of the failure or the total time any payment service users are affected by delayed transactions, i.e. one day?
According to section 1.3. of the EBA/GL/2021/03 the Service Downtime of an incident is defined as the “time that any task, process or channel related to the provision of payment services is or will likely be down and, thus, prevents i) the initiation and/or execution of a payment service and/or ii) access to a payment account.” Moreover, PSPs are asked to “count the service downtime from the moment the downtime starts, and they should consider both the time intervals when they are open for business as required for the execution of payment services as well as the closing hours and maintenance periods, where relevant and applicable.”
Considering the example that an incident with a duration of two hours that disrupts transaction processing occurs around the daily cut off time of same-day transactions processing, the net time of the failure may be just two hours, however, as a result transactions are delayed by one day.
The definition of the Service Downtime takes into account not only the “time that any task, process or channel related to the provision of payment services is […]down” but also the consequences that due to an incident “the initiation and/or execution of a payment service” is disturbed. Based on this definition, we have concluded that in such a scenario the guaranteed service that a PSP processes a transfer order within one banking day is delayed by one day, which is why, according to our view, the service downtime should be one day.
Alternatively, considering another example where a responsible server is down for more than one but less than two hours just around the cut off time. In this case, a PSP could conclude that it does not need to report this incident if just the net time of a failure should be counted, as the net downtime would be less than two hours and reporting obligations would not apply assuming only two other thresholds are met by the incident. However, payment service users might still be affected one whole day by delayed transactions as described in the first example. Thus, taking into account the delay of transactions, the downtime would be one day. Therefore, three reporting thresholds would be met and the incident should be reported.
Guideline 1.3.iv of the revised Guidelines on major incident reporting under PSD2 (EBA/GL/2021/03) prescribes how payment service providers (PSPs) should calculate the value of 'service downtime'. In particular, it specifies that 'payment service providers should consider the period of time that any task, process or channel related to the provision of payment services is or will likely be down and, thus, prevents i) the initiation and/or execution of a payment service and/or ii) access to a payment account.'
Accordingly, in the specific case where an incident has prevented the execution of the payment service due to a missed settlement cycle, PSPs should count the service downtime from the moment the downtime starts until the moment the payment services impacted by the incident are executed.