In general, we consider the definitions in the draft guidelines to be relatively clear and straightforward. However, we recommend that the following additions/clarifications be made.
• The guidelines include an explanation as to the benefits of the collection of the information in the reports and how the data will be assessed and used.
• The introduction should make clear that reporting to the home member state competent authority does not negate any other obligation to report to other authorities (for example, the Information Commissioner’s Office in the UK).
• It would be helpful to provide an explanation of the economic impact thresholds in level 2.
• It would be helpful to confirm (if it is the case) that the final report is, indeed, the final report and that even if the report has had to be submitted ahead of the identification of the final root cause, no further report is expected.
As noted above, we believe the economic impact threshold in level 2 could be more clearly defined or explained.
One of the criteria, namely Reputational impact" suggests that a PSP should anticipate whether a potential incident would be high profile or not. This could be nearly impossible to predict, and could lead to a danger of PSPs disproportionately looking for incidents with the potential to create media attention, rather than looking at this criterion in line with the other quantitative factors. Perhaps more detail is needed around this criterion."
We expect the quality and comparability of the reporting will be enhanced. However, the qualitative nature of the level 1 thresholds carries the risk that PSPs may over or under report, depending on the nature of the PSP and the attitude of staff.
We recommend adding more detail to the reputational impact and high level of internal escalation criteria.
We consider the information within Annex 1 to be comprehensive enough to give the competent authorities a satisfactory overall picture of the incident.
We recommend that the template is amended to indicate the minimum level of detail needed depending on the type of the report. For example, a PSP may be confused as to the level of detail they need to provide on the actual template for an initial report, as it currently stands there is a data field asking the PSP whether or not there have been any previous reports on the same issue, or whether this is the final report. Some indicator of the level of detail needed on the actual template corresponding to the type of report being submitted would aid in the efficiency of the process.
The instructions are quite clear and should not cause the PSP confusion. However, it would be helpful to include more detailed instructions around the differences between an initial, intermediate and final report.
We consider the deadline of two hours for an initial report to be feasible, as there is only a low level of detail required. The deadline in relation to the final report is made feasible by not requiring the root cause analysis and corrective measures to be included in the report within the two- week deadline.
We anticipate that the timeframe that will cause most difficulty will be the limit of three business days to update the intermediate report. This is because additional information may take longer to acquire, particularly if a criterion such as service downtime turns out to be longer than two hours, resulting in a delay in information gathering.
We propose extending the intermediate deadline from three business days to five business days to reflect these potential difficulties.
The delegated reporting procedure adds value by allowing the business to employ extra resource as needed in order to fulfil the obligation within what will be a very busy and focused timeframe.
The requirement to inform the competent authority of the outsourced relationship will provide an opportunity for PSPs to consider and make firm arrangements with the third party for such a contingency.
The consolidated reporting procedure adds value in respect of efficiency. A potential danger that could arise from this would be to develop or encourage a habit of technical service providers grouping together payment service providers into a single report when perhaps individual reports are more appropriate i.e. if PSPs are experiencing substantially different issues. This could lead to inaccurate reporting. However, the requirement in the guidelines are clear that once it becomes no longer possible to group PSPs into a single report, the third party must provide information on an individual basis.