Response to consultation paper on the draft revised Guidelines on major incident reporting under PSD2
Go back
However, if further standardisation of files for submission would lead to possible automation possibilities, we would be open for discussing the introduction of more efficient tools and approaches as well.
In addition, we would appreciate a further explanation on the meaning of the following expression: “the 4-hour deadline for submission of the initial report as required under Guideline 2.7 applies from the moment of classification of the incident (and not the detection of the incident). We would especially encourage a more detailed definition of “classification”.
Additionally, we think there is a need for further clarifications:
• On the exact scope of the sub-category “Information context security”.
• Regarding the above-mentioned Point d.) of Deficiencies in the reporting process: we understand that the requirement is not to leave any fields blank in the report. In case the respective field does not apply or is not relevant for the article – is there a preference how to indicate that (eg: n.a/u.a.)? Otherwise, we suggest to add said option to the list.
We would also like to propose to make optional the field “Assessment of the effectiveness of the actions taken” in the template of the final report. It is very time consuming to get the requested information on time and this may entail the inability/impossibility to respect the deadline.
Finally, financial institutions are obliged to be compliant to various reporting obligations, e.g. the “ECB Reporting for significant cyber incidents” reporting scheme. Each reporting obligation is using different classification schemes of incidents, which makes it difficult to reflect in incident management processes and tools. Further harmonisation between the EBA and ECB reporting obligations would be highly appreciated.
Q1. Do you agree with the change proposed in Guideline 1.4 to the absolute amount threshold of the criteria ‘Transactions affected’ in the higher impact level?
Yes, we agree.Q2. Do you agree with the changes proposed in Guideline 1.4 to the assessment of the criteria ‘Transactions affected’ and ‘Payment service users affected’ in the lower impact level, including the introduction of the condition that the operational incidents must have a duration longer than one hour?
Yes, we agree with the increase of the threshold and the duration longer than 2 hours for the operational incidents. At the same time, we would welcome further clarification and examples of the cases where “issues affecting the initiation and/or processing of transactions may be rectified within a period shorter than one hour but the overall unavailability of the PSPs’ services to the payment service user is longer than two hours”.Q3. Do you agree with the inclusion of the new criterion ‘Breach of security measures’ in Guidelines 1.2, 1.3 and 1.4?
Yes, we agree. At the same time, we would also welcome some clarification on how and when PSPs should consider that the criterion “Breach of security measures” is triggered. Would this be at the same level as in ECB’s cyber incident reporting?Q4. Do you agree with the proposed changes to the Guidelines aimed at addressing the deficiencies in the reporting process?
Yes, we agree.Q5. Do you support the introduction of a standardised file for submission of incident reports from payment service providers to national competent authorities? If so, what type of structured file format would you support (e.g. “MS Excel”, “xbrl”, “xml”) and why?
Since major incident reporting is a manual process, we are satisfied with the current solution. As of the current process, other formats than MS Excel are therefore not relevant.However, if further standardisation of files for submission would lead to possible automation possibilities, we would be open for discussing the introduction of more efficient tools and approaches as well.
Q6. Do you agree with the proposed changes to Guidelines 2.4, 2.7, 2.12, 2.14, and 2.18 that are aimed at simplifying the process of reporting major incidents under PSD2?
Yes, we agree.In addition, we would appreciate a further explanation on the meaning of the following expression: “the 4-hour deadline for submission of the initial report as required under Guideline 2.7 applies from the moment of classification of the incident (and not the detection of the incident). We would especially encourage a more detailed definition of “classification”.
Q7. Do you agree with the proposed changes to the templates in the Annex to the Guidelines?
Overall, we agree. We are supportive of the proposed categories and sub-categories of incidents and the terminology used. Nevertheless, we do not consider that the terms and categories are well defined. Indeed, a relevant part of the definitions provided by the EBA is based on examples (e.g. see page 45 of the Consultation Paper). We believe it is necessary that the EBA provides more precise and unambiguous definitions in order to make sure incidents are properly categorized in practice.Additionally, we think there is a need for further clarifications:
• On the exact scope of the sub-category “Information context security”.
• Regarding the above-mentioned Point d.) of Deficiencies in the reporting process: we understand that the requirement is not to leave any fields blank in the report. In case the respective field does not apply or is not relevant for the article – is there a preference how to indicate that (eg: n.a/u.a.)? Otherwise, we suggest to add said option to the list.
We would also like to propose to make optional the field “Assessment of the effectiveness of the actions taken” in the template of the final report. It is very time consuming to get the requested information on time and this may entail the inability/impossibility to respect the deadline.
Finally, financial institutions are obliged to be compliant to various reporting obligations, e.g. the “ECB Reporting for significant cyber incidents” reporting scheme. Each reporting obligation is using different classification schemes of incidents, which makes it difficult to reflect in incident management processes and tools. Further harmonisation between the EBA and ECB reporting obligations would be highly appreciated.