ARTICLE
8 August 2017

New Guidelines On Major Incident Reporting Under PSD 2

DB
De Brauw Blackstone Westbroek N.V.

Contributor

De Brauw Blackstone Westbroek is a leading international law firm, trusted by clients for over 150 years due to its deep engagement with their businesses and a clear understanding of their ambitions. While rooted in Dutch society, the firm offers global coverage through its network of top-tier law firms, ensuring seamless, tailored legal solutions. De Brauw’s independence enables it to choose the best partners while remaining a trusted, strategic advisor to clients worldwide.

The firm emphasizes long-term investment in both its client relationships and its people. De Brauw’s legal training institutes, De Brauwerij and The Brewery, cultivate diverse talent, preparing the next generation of top-tier lawyers through rigorous training and personal development. Senior leadership traditionally rises from within, maintaining the firm’s high standards and collaborative culture.

The European Banking Authority has published new Guidelines on major incident reporting, under Directive (EU) 2015/2366 (PSD2).
European Union Finance and Banking

The European Banking Authority has published new Guidelines on major incident reporting, under Directive (EU) 2015/2366 (PSD2). Article 96 PSD2 requires payment services providers to establish a framework to maintain effective incident management procedures, including for the detection and classification of major operational or security incidents. The new Guidelines set out criteria for payment services providers to determine what constitutes a major incident (and therefore identify incidents which must be notified to the competent authority) and sets out the criteria for competent authorities to use when assessing the relevance of reported incidents and how to share these incidents with other domestic authorities.

What do the new Guidelines contain?

For payment services providers, the new Guidelines:

  1. set out the criteria, thresholds and methodology to be used by payment services providers to determine whether or not an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State; and
  2. establish the template that payment services providers will have to use for this notification, and the reports they have to send during the lifecycle of the incident, including the timeframe to do so;

Where permitted by the competent authority, the Guidelines allow for the possibility that payment services providers delegate their incident reporting obligations to a third party, provided that a number of conditions are met. According to the EBA, this possibility will ensure that the provisions and tools offered in the Guidelines mirror the current practice on incident reporting.

Additionally, the Guidelines provide payment services providers the possibility of reporting their incidents through a designated third party (e.g. an account information service provider, or a payment initiation service provider) in a way that is consolidated with other affected payment services providers with their seat in the same Member State, under the condition that the incident has been caused by a disruption in the services provided by that third party.

For competent authorities, the new Guidelines:

  1. set out criteria to assess the relevance of a major operational or security incident to other domestic authorities;
  2. set out the minimum information that competent authorities should share with these domestic authorities when an incident is considered of relevance;
  3. set out the reporting process between competent authorities in the home Member State and the EBA/ECB.

How do the new Guidelines affect you?

PSD2 must be implemented into national law as of 13 January 2018. These Guidelines clarify the requirements under article 96 (3) PSD2, and should be included in your incident management procedures.

For the new Guidelines, click here. If you have any questions, please contact Willem Röell or Christian Godlieb.

DNB to provide more information on the implementation of PSD2 in September

The DNB has indicated that it aims to provide more information on the implementation of PSD2 in September 2017, by, among other initiatives, organising a seminar on this topic on 26 September 2017. For more information, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More