Response to consultation on Guidelines on major incidents reporting under PSD2

Go back

Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?

Yes, we consider that the definitions included in the draft Guidelines are sufficiently clear and we do not have any comments.

Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?

Concerning the methodology for the assessment and classification of major incidents (point 1.5 of Guideline 1 “Incident classification” and point 20 of the chapter 3.2 “Rationale”) we ask for a clarification on the rationale behind the choice of a minimum threshold of 3 criteria reaching a level 1 severity, and 1 criteria reaching a level 2 severity to classify an incident as major.

Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.

In our view, the criteria and the methodology are thorough and allow to identify and evaluate any kind of major incidents. However, please consider also our comment provided in response 2.

Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.

In our view, the thresholds should be defined in terms of parameters instead of absolute values, so that they can be better adjusted to the different operational practices. Therefore, we propose that absolute values would be used only when it is not possible to define a parametric threshold (such as, for example, for the AISPs).

Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.

We deem that the proposed template is sufficient to meet the objectives mentioned.

Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.

The instructions provided are clear and helpful to fill the template.

Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.

In our view, the drafting of the initial report shall start when the incident is classified as “major” and not when the incident has been detected (see point 2.8 of the guidelines).

Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

We believe that the use of a delegated reporting procedure will provide added value to the market. However, at this stage we are not considering this opportunity.

Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.

We deem that the use of a consolidated reporting procedure will provide added value to the market. However, at this stage we are not considering this opportunity.

Name of organisation

Intesa Sanpaolo S.p.A.