On 27 July 2017, the EBA adopted final guidelines on major incident reporting, providing more granularity to the incident reporting obligations contained in Article 96 of PSD2. This short article seeks to summarise the salient points contained in those guidelines, as well to shed light on links that exist between Article 96 PSD2 and the EU General Data Protection Regulation (GDPR)1 and the NIS (or cybersecurity) directive2.
At least 17 EU Member States have compulsory operational incident reporting requirements in place that payment service providers (PSPs) have to comply with. However, there are disparities in the criteria used by competent authorities for the fulfilment of those reporting obligations, the notification procedure to be followed, etc, thereby hampering the establishment of a level-playing field and internal market for payment services in the EU.
Although the major incident notification requirements contained in the Article 96(1) PSD2 will require PSPS to adjust their IT systems/databases to the new reporting requirements, it is expected that the EU-wide common standard will ensure, together with the EBA guidelines, a uniform framework for major incident reporting across the EU, and therefore will benefit PSPs operating in different EU countries compared to today's situation.
In addition to Article 96(1) PSD2 which imposes notification requirements upon PSPs, Article 96(2) PSD2 imposes requirements upon public authorities to share amongst each other information about incidents. It is Article 96(3) that confers the EBA a mandate to issue guidelines addressed to PSPs (on the classification of incidents, as well as the content, form and procedure for notifications) and to authorities (on how to assess the relevance of incident for other authorities).
On 7 December 2016, the EBA launched a consultation on draft Guidelines on major incident reporting, which ended on 7 March 2017. Following analysis of the 43 responses to that consultation, the EBA published the final guidelines on 27 July 2017 which are available here.
Like all EBA guidelines, the final guidelines on incident reporting are subject to a "comply or explain" principle, meaning that national competent authorities should decide whether they will enforce those guidelines in their country, or not. Given the above stated PSD2 objective of having more consistent and efficient incident reporting mechanisms in place in all EU countries, it is expected that all, or almost all, national competent authorities will decide to "comply" with the EBA guidelines. They will become applicable on 13 January 2018, i.e. the deadline for Member States to implement PSD2 within their national legal order.
1. Notification requirements for PSPs
Article 96(1) PSD2 provides that:
"In the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider.
Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident" (emphasis added).
The EBA guidelines only deal with the notification requirement to competent authorities, and therefore does not deal with the notification to the payment service users.
The first part of the guidelines defines EU-wide criteria and thresholds to be used to assess whether or not an operational or security incident should be considered as "major" (and therefore to be reported to the competent authority), or not.
The table below, which is extracted from the EBA guidelines (page 23), contains seven quantitative and qualitative criteria. An incident qualifies as "major" if either one (or more) criteria of ‘Higher impact level’ are met, or at least three criteria of the 'Lower impact level'.
|Criteria||Lower impact level||higher impact level|
> 10% of the payment service provider's regular level of transactions (in terms of number of transactions)
> EUR 100,000
> 25% of the payment service provider's regular level of transactions (in terms of number of transactions)
> EUR 5 million
|Payment services users affected||
> 10% of the payment service provider's payment service users
> 25% of the payment service provider's payment service users
|Service downtime||> 2 hours||Not applicable|
|Economic impact||Not applicable||
> Max. (0.1% Tier 1 captial, EUR 200,000)
> EUR 5 million
|High level of internal escalation||Yes||Yes, and a crisis mode (or equivalent) is likely to be called upon)|
|Other payment service providers por relevant infastructures potentially affected||Yes||Not applicable|
|Reputational impact||Yes||Not applicable|
For more information about the meaning of each of these criteria, see pages 20-23 of the EBA guidelines.
If an operational or security incident qualifies as "major", PSPs should produce incident reports to the competent authority in the home Member State, using the template provided by the EBA in annex to the guidelines. There are three kinds of reports, corresponding to the three different sections of the template (PSPs are therefore expected to complete each of the sections in a cumulative way, so that the final report contains information on all fields):
PSPs may delegate their incident-reporting obligations to a third party provided that the delegation complies with the requirement for the outsourcing of important operational functions, and after having informed the local competent authority (see section 3.1 of the guidelines).
When an incident originates from a third party provider used by several PSPs (e.g. a processor), the PSPs using that third party may entrust the incident reporting requirement to that third party, who will report the incident on a consolidated basis (see section 3.2 of the guidelines).
2. Notification requirements for competent authorities
Article 96(2) PSD2 provides that:
"Upon receipt of the notification referred to in paragraph 1, the competent authority of the home Member State shall, without undue delay, provide the relevant details of the incident to EBA and to the ECB. That competent authority shall, after assessing the relevance of the incident to relevant authorities of that Member State, notify them accordingly.
EBA and the ECB shall, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system.
On the basis of that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate safety of the financial system." (emphasis added)
In the EBA guidelines, it is confirmed that the national competent authorities should always provide the EBA and the ECB with all reports (initial, intermediate and final reports) received from PSPs affected by a major operational or security incident. No specific timeframe for sending these reports has been determined by the EBA in the guidelines, but only a requirement to "avoid delays" in the transmission of the information (section 8.2 of the EBA guidelines guidelines).
In addition, national competent authorities should assess if a major or security incident could be relevant to other national competent authorities. The EBA provides with a list of criteria to be used by a national authority in order to make that assessment (see section 5.1 of the guidelines). Once other national authorities have been identified, the national authority should share with them a number of pieces of information (see section 6.2 of the guidelines). The information should be shared, as a minimum, at the time of receiving the initial report, and when they are notified that business is back to normal4.
3. Links between PSD2, on the one hand, and GDPR and NIS directive, on the other hand
It is important to note that links exist between the above-mentioned notification requirement under PSD2, and in those set out in the GDPR and the NIS directive, creating potential confusion for PSPs:
The author is grateful to Constance Eckardt-Descout for the preparatory work on this article.
This article was first published in the October edition of Payments & FinTech Lawyer.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
2 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
3 In the draft version of the guidelines, the EBA has proposed 2 hours.
4 It should be noted that the guidelines seem to adopt a contra legem interpretation of Article 96(2) PSD2. According to Article 96(2), it is "the EBA and the ECB [which] shall, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. […]". However, the guidelines seem to entrust that assessment and the actual notification to the national authority.