The European Banking Authority (EBA) published today the Final Guidelines on major incident reporting under the revised Payment Services Directive (PSD2). The Guidelines were developed in close cooperation with the European Central Bank (ECB), are addressed to all payment services providers and competent authorities in the 28 EU Member States, and contribute to the objective of the PSD2 of minimizing disruption to users, payment service providers and payment systems.
The Guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State. In developing the Guidelines, the EBA and ECB have built on the experience across national jurisdictions and authorities and assessed existing similar practices for incident reporting.
More specifically, these Guidelines provide the template that payment service providers are required to use for this notification and the reports they have to send during the lifecycle of the incident, including the time frame to do so. The Guidelines also establish a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of the PSD2. Moreover, they detail the minimum information that competent authorities should share with these domestic authorities when an incident is considered of relevance for the latter.
Following the analysis of the 43 responses received during the public consultation, the EBA has made some amendments to the Guidelines. In particular, it has further defined the criteria, reviewed one of the thresholds, extended the deadline for the first report, streamlined the amount of information to be provided at that stage, and generally clarified the information to be provided in each of the reports.
The Guidelines will apply from 13 January 2018.
Article 96(3) of Directive (EU) 2015/2366 on Payment Services in the Internal Market (PSD2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), Guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.