Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
The definition of payment related services, is very wide and it should be limited to only those “technical supporting tasks” which failure would affect failure of payment services .
“major operational or security incident”
We think that definition of a ‘major operational or security incident’ (‘A singular event or a series of linked events which have or may have a material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services’) should not include events which may have only potentially negative impact on the provided payment services. Otherwise the payment service providers will have to face the fact that any events which may cause the actual incident will have to be reported to the relevant authority as the actual incident (despite the fact that the negative impact on payment services will be only potential).
Additionally we believe that “High level of internal escalation” and “crisis mode” may have a negative impact at the PSPs internal communication processes. It is easy to imagine that such a criterion might create the culture in which reporting are discourage.
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
“payment related services”The definition of payment related services, is very wide and it should be limited to only those “technical supporting tasks” which failure would affect failure of payment services .
“major operational or security incident”
We think that definition of a ‘major operational or security incident’ (‘A singular event or a series of linked events which have or may have a material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services’) should not include events which may have only potentially negative impact on the provided payment services. Otherwise the payment service providers will have to face the fact that any events which may cause the actual incident will have to be reported to the relevant authority as the actual incident (despite the fact that the negative impact on payment services will be only potential).
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
In our view Reputational impact shouldn’t be consider as a criterion for assessing the materiality of an operational or security incident. Reputation is a very blurry category, with a lot of uncertainty how to measure the potential impact to reputation.Additionally we believe that “High level of internal escalation” and “crisis mode” may have a negative impact at the PSPs internal communication processes. It is easy to imagine that such a criterion might create the culture in which reporting are discourage.