SWIFT supports the efforts of the European Banking Authority (EBA) to facilitate the reporting of major incidents under PSD2 to the national competent authorities. We believe sharing incident information is very important as it allows institutions to learn from each other’s experience and ensures a coordinated approach when tackling common issues. It also enables the pooling of experience and knowledge, which helps in identifying best practice when responding to specific types of incidents. It also facilitates the decision-making process on what potential action should be taken in each situation.
As incident reporting will also be required under other forthcoming legislation, such as the Fourth Anti-Money Laundering Directive and the Network Information Security Directive, we recommend bringing some overall uniformity to reporting requirements. We therefore welcome the introduction of a template for incident reporting as this will standardise reporting and facilitate the processing of the reported information.
We have further suggestions regarding the proposed template, as follows:
General Details Section
PSP Unique Identifier Number: to avoid the use of domestic identification numbers, which would prevent simple identification in other jurisdictions, we propose the use of an international identification scheme such as the Legal Entity Identification (LEI) – ISO 20275.
Incident Discovery Section
Date and time of beginning of incident: we suggest the addition of a Time Zone field (e.g. GMT, UTC +2) to avoid any misunderstanding.
Incident Classification Section
Overall impact: we suggest adding a field indicating whether the impacted institution has recovered from the incident. This will allow the national authority to threat the notification with the appropriate priority.
Clients affected: in addition to the number of clients impacted, we suggest a field to indicate if any counterparts were impacted.
Incident Mitigation Section: we believe following questions could be usefully added:
1. Have you filed a complaint with the local police? Have you reported this incident with other local authorities?
2. Have you informed your technical provider?
3. Have you performed a full forensic investigation of your environment?