Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
FBF would like to point out that the proposed increase to 15 million EUR would still be considered too low for wholesale/investment banks which process a much higher daily volume of payment transactions. Thus, taking into consideration that “Transactions affected” criteria should be understood as transactions for which it was not possible to neutralize the client impact, the proposed increased threshold is deemed acceptable for the largest banks. However, should the EBA have a different position, we would favor referring only to the percentage threshold so that the achievement of that threshold be linked to the size of the operations of the bank.
Regarding the introduction of a linked condition that the operational incidents must have a duration longer than one hour corresponding to the bank’s inability to process payment transactions for more than one hour, FBF would welcome some clarifications and examples of situations that EBA in the paragraph 15 of the consultation paper refers to : “there are cases where the issues affecting the initiation and/or processing of transactions may be rectified within a period shorter than one hour but the overall unavailability of the PSPs’ services to the payment service user is longer than two hours”.
FBF actually believes there is a need for practical clarification on the correct understanding for PSPs of this criteria of duration of the incident together with other criteria such as Service downtime and Breach of security measures.
We wonder whether adding this new criterion “Breach of security measures” combined with the two other criteria “High level of internal escalation” and “Reputational impact” would not lead to a high number of reporting sent to NCAs that would not be representative of a major incident ?
Nonetheless, we would like to draw the EBA’s attention on the fact that PSPs are already subject to the cyber-incident reporting framework established by European Central Bank for EUR countries about significant cyber and security incidents. Regarding such cyber and security incidents, some clarifications on how and when PSPs should consider that the criteria Breach of security measures is reached would be useful. We consider that PSPs should use the same levels as required in the cyber incident ECB reporting.
FBF would welcome some clarifications about the process for notifications and the escalation process.
In principle, each PSP has only the obligation to report to his home Member state. But some PSPs with European coverage, do note that this is not always the case in practice. Indeed, some other Member States NCAs, where French PSPs branches are operating, are asking and requesting information from the branches.
PSPs should avoid declaring the same incident more than once, even if we understand that each NCA reports anyway to ECB.
It should be noted that, after the transition period, PSPs branches located in London will still have to report incidents to their own NCA, as part of the on shored version of the UK implementation of PSD2.
About Guideline 2.21: FBF would welcome clarifications on whether the final report should be filed with the updated information and whether there is a need to submit the complete final report if the incident is reclassified.
About Guideline 2.3, should the copy of the communication to users be provided embedded in the template or separately? A template to copy the text of the end client communication would be helpful, as an annex of the existing template.
About Guideline 2.8, for clarification purpose, FBF believes that the following information should be added: PSPs should send their reports during the NCAs working hours. It should be noted that this principle stands for all kinds of reports.
French PSPs are satisfied with the current format that is Excel.
On Section A -Initial Report:
The scope of countries may expand sometimes, and consequently the PSP would have to report such changes on Section B, line 26 “Changes made to previous reports”
FBF would welcome some clarification on the purpose of the following section: “Impact in other EU Member States, if applicable”
Line 35- "Reporting to other authorities” seems to be not needed in practice with a very few number of cases to be reported to other authorities.
On Section B - Intermediate Report:
Line 19 – “Was it related to a previous incident?” – An “unknown” option should be offered
Line 20 – “Were other service providers/third parties affected or involved?” - An “unknown” option should be offered
Line 23– “Date and time when the incident was restored or is expected to be restored (DD/MM/YYYY, HH:MM)” - such expectation is not easy to assess, FBF would propose a deletion of the line.
The sub-categories called Malicious actions and Process failure would require some examples in their description.
On Section C - Final Report:
Line 22 “lessons learnt” – It is important to highlight that this may require more time than the one granted by the final report deadline.
Line 38 “Assessment of the effectiveness of the actions taken” – The timeline may be insufficient to express such assessment.
The sub-category “Information context security” may be amended as “Information content security” to be consistent with the Cyber incident taxonomy.
Regarding the root cause System failure, FBF would recommend adding the category “Infrastructure failure”.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
FBF welcomes the change proposed in GL 1.4 with an increase of the absolute amount threshold of the criteria ‘Transactions affected’ from 5 million to 15 million EUR.FBF would like to point out that the proposed increase to 15 million EUR would still be considered too low for wholesale/investment banks which process a much higher daily volume of payment transactions. Thus, taking into consideration that “Transactions affected” criteria should be understood as transactions for which it was not possible to neutralize the client impact, the proposed increased threshold is deemed acceptable for the largest banks. However, should the EBA have a different position, we would favor referring only to the percentage threshold so that the achievement of that threshold be linked to the size of the operations of the bank.
Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
FBF agrees with the proposed increase of the absolute amount threshold of the criteria ‘Transactions affected’ from 100 000 EUR to 500 000 EUR.Regarding the introduction of a linked condition that the operational incidents must have a duration longer than one hour corresponding to the bank’s inability to process payment transactions for more than one hour, FBF would welcome some clarifications and examples of situations that EBA in the paragraph 15 of the consultation paper refers to : “there are cases where the issues affecting the initiation and/or processing of transactions may be rectified within a period shorter than one hour but the overall unavailability of the PSPs’ services to the payment service user is longer than two hours”.
FBF actually believes there is a need for practical clarification on the correct understanding for PSPs of this criteria of duration of the incident together with other criteria such as Service downtime and Breach of security measures.
Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
FBF understands that the new criterion Breach of security measures directly refers to the Guideline 3.4.1 of the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04). Therefore, such criteria should be ticked when the incident relates to one or more security measures that are described in the dedicated Guideline of EBA/GL/2019/04.We wonder whether adding this new criterion “Breach of security measures” combined with the two other criteria “High level of internal escalation” and “Reputational impact” would not lead to a high number of reporting sent to NCAs that would not be representative of a major incident ?
Nonetheless, we would like to draw the EBA’s attention on the fact that PSPs are already subject to the cyber-incident reporting framework established by European Central Bank for EUR countries about significant cyber and security incidents. Regarding such cyber and security incidents, some clarifications on how and when PSPs should consider that the criteria Breach of security measures is reached would be useful. We consider that PSPs should use the same levels as required in the cyber incident ECB reporting.
Q4. Do you agree with the proposed changes to the Guidelines aimed at addressing the deficiencies in the reporting process?
The FBF agrees with the proposed changes. In addition, we would like to offer the following more detailed comments:FBF would welcome some clarifications about the process for notifications and the escalation process.
In principle, each PSP has only the obligation to report to his home Member state. But some PSPs with European coverage, do note that this is not always the case in practice. Indeed, some other Member States NCAs, where French PSPs branches are operating, are asking and requesting information from the branches.
PSPs should avoid declaring the same incident more than once, even if we understand that each NCA reports anyway to ECB.
It should be noted that, after the transition period, PSPs branches located in London will still have to report incidents to their own NCA, as part of the on shored version of the UK implementation of PSD2.
About Guideline 2.21: FBF would welcome clarifications on whether the final report should be filed with the updated information and whether there is a need to submit the complete final report if the incident is reclassified.
About Guideline 2.3, should the copy of the communication to users be provided embedded in the template or separately? A template to copy the text of the end client communication would be helpful, as an annex of the existing template.
About Guideline 2.8, for clarification purpose, FBF believes that the following information should be added: PSPs should send their reports during the NCAs working hours. It should be noted that this principle stands for all kinds of reports.
Q5. Do you support the introduction of a standardised file for submission of incident reports from payment service providers to national competent authorities? If so, what type of structured file format would you support (e.g. “MS Excel”, “xbrl”, “xml”) and why?
FBF agrees and supports a standardised file for submission of incident reports from payment service providers to national competent authoritiesFrench PSPs are satisfied with the current format that is Excel.
Q6. Do you agree with the proposed changes to Guidelines 2.4, 2.7, 2.12, 2.14, and 2.18 that are aimed at simplifying the process of reporting major incidents under PSD2?
FBF agrees with the proposed changes to Guidelines 2.4, 2.7, 2.12, 2.14, and 2.18.Q7. Do you agree with the proposed changes to the templates in the Annex to the Guidelines?
FBF agrees with the proposed changes to the templates in the Annex, with the following remarks:On Section A -Initial Report:
The scope of countries may expand sometimes, and consequently the PSP would have to report such changes on Section B, line 26 “Changes made to previous reports”
FBF would welcome some clarification on the purpose of the following section: “Impact in other EU Member States, if applicable”
Line 35- "Reporting to other authorities” seems to be not needed in practice with a very few number of cases to be reported to other authorities.
On Section B - Intermediate Report:
Line 19 – “Was it related to a previous incident?” – An “unknown” option should be offered
Line 20 – “Were other service providers/third parties affected or involved?” - An “unknown” option should be offered
Line 23– “Date and time when the incident was restored or is expected to be restored (DD/MM/YYYY, HH:MM)” - such expectation is not easy to assess, FBF would propose a deletion of the line.
The sub-categories called Malicious actions and Process failure would require some examples in their description.
On Section C - Final Report:
Line 22 “lessons learnt” – It is important to highlight that this may require more time than the one granted by the final report deadline.
Line 38 “Assessment of the effectiveness of the actions taken” – The timeline may be insufficient to express such assessment.
The sub-category “Information context security” may be amended as “Information content security” to be consistent with the Cyber incident taxonomy.
Regarding the root cause System failure, FBF would recommend adding the category “Infrastructure failure”.