The European Banking Authority has published new Guidelines on major incident reporting, under Directive (EU) 2015/2366 (PSD2). Article 96 PSD2 requires payment services providers to establish a framework to maintain effective incident management procedures, including for the detection and classification of major operational or security incidents. The new Guidelines set out criteria for payment services providers to determine what constitutes a major incident (and therefore identify incidents which must be notified to the competent authority) and sets out the criteria for competent authorities to use when assessing the relevance of reported incidents and how to share these incidents with other domestic authorities.
What do the new Guidelines contain?
For payment services providers, the new Guidelines:
- set out the criteria, thresholds and methodology to be used by payment services providers to determine whether or not an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State; and
- establish the template that payment services providers will have to use for this notification, and the reports they have to send during the lifecycle of the incident, including the timeframe to do so;
Where permitted by the competent authority, the Guidelines allow for the possibility that payment services providers delegate their incident reporting obligations to a third party, provided that a number of conditions are met. According to the EBA, this possibility will ensure that the provisions and tools offered in the Guidelines mirror the current practice on incident reporting.
Additionally, the Guidelines provide payment services providers the possibility of reporting their incidents through a designated third party (e.g. an account information service provider, or a payment initiation service provider) in a way that is consolidated with other affected payment services providers with their seat in the same Member State, under the condition that the incident has been caused by a disruption in the services provided by that third party.
For competent authorities, the new Guidelines:
- set out criteria to assess the relevance of a major operational or security incident to other domestic authorities;
- set out the minimum information that competent authorities should share with these domestic authorities when an incident is considered of relevance;
- set out the reporting process between competent authorities in the home Member State and the EBA/ECB.
How do the new Guidelines affect you?
PSD2 must be implemented into national law as of 13 January 2018. These Guidelines clarify the requirements under article 96 (3) PSD2, and should be included in your incident management procedures.
For the new Guidelines, click here. If you have any questions, please contact Willem Röell or Christian Godlieb.
DNB to provide more information on the implementation of PSD2 in September
The DNB has indicated that it aims to provide more information on the implementation of PSD2 in September 2017, by, among other initiatives, organising a seminar on this topic on 26 September 2017. For more information, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.