PSD2 major incident reporting guidelines
By Judith Rinearson and Rizwan Qayyum
On July 27 2017, the European Banking Authority (EBA) published the Final Guidelines (the Guidelines) on major incident reporting under the revised Payment Services Directive (PSD2). The Guidelines were developed in conjunction with the European Central Bank (ECB), and are addressed to all payment services providers and competent authorities within the 28 European Union Member States. With the expected implementation of PSD2 in January 2018, the Guidelines further contribute to the objective of the PSD2 aiming to minimize disruption to its users, payment service providers and the systems.
The aim of the Guidelines is to identify the criteria, thresholds and methodology that payment service providers will be expected to consider when determining if an operational and security incident should be considered major, and therefore, require notification to the competent authority in the Home Member State. PSD2 assigns to the EBA and ECB a central coordination role, in this context. The competent authority in the home Member State swiftly shares with the ECB and EBA details of the incident. This permits a collective decision and assessment to be made about the significance of the incident to these other Union and national authorities. Where appropriate, the EBA and ECB will notify accordingly.
The EBA launched the initial consultation on the draft Guidelines on 7 December 2016, accumulating 43 responses to the Consultation Paper, which the Guidelines summarises and incorporates in some amendments from the draft Guidelines, in particular providing for further definition to the criteria, review of one of the thresholds, providing an extension to the deadline for the first report and generally clarified information to be provided at each stage of the reports.
These Guidelines provide the template that payment service providers are required to use for this notification and the reports that they are required to send during the lifecycle of the incident, including the timeframe to do so. The Guidelines also provide for a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of PSD2.
The Guidelines will apply from 13 January 2018.