On 10 June 2021, the European Banking Authority (EBA) published its final revised Guidelines on major incident reporting under the Payment Service Directive (PSD2) - (the “Guidelines” - EBA/GL/2021/03).

By Diego Cefaro, Shane Barber, Scott McInnes, Michelle Chan, Annette Printz Nielsen, Ivan Sagál, Konrad Siegler, Kristiina Lehvilä, Cathie-Rosalie Joly, Dr. Michael Jünemann, Slawomir Szepietowski, Kim Kit Ow, José Luis Lorente Howell, Hans Svensson, Trystan Tether, Gregory Man

06-2021

On 10 June 2021, the European Banking Authority (EBA) published its final revised Guidelines on major incident reporting under the Payment Service Directive (PSD2) - (the “Guidelines” - EBA/GL/2021/03). 

The revised Guidelines are available here.

Introduction and background

Pursuant to article 96(3) of Directive (EU) 2015/2366 (PSD2), the original Guidelines on major incident reporting were developed in 2017 in close cooperation with the European Central Bank (ECB) and have applied since January 2018 (see our previous client alert on this topic here). 

The Guidelines set out the criteria, thresholds and methodology payment services providers (PSPs) must observe in order to determine whether an operational or security incident should be considered as major, and (assuming it qualifies as major) how such an incident should be notified to their national competent authority (NCA), under Article 96(2) PSD2.

In 2020, the EBA launched the review of the Guidelines assessing the reports it had received by then. This consultation was part of the bi-annual review process of the Guidelines set forth in Article 96(4) PSD2 (see our previous client alert on this topic here). 

Following this consultation, the revised Guidelines are aimed at optimising and simplifying the reporting process and templates, focusing on incidents with significant impact on PSPs, and improving the relevance of the information to be reported. The revised Guidelines are also estimated to reduce the reporting burden for PSPs.

The Guidelines will apply as of 1 January 2022.

The EBA acknowledges the ongoing negotiations of the EU Commission’s proposal for an EU regulatory framework on digital operational resilience (DORA), which contains, inter alia, a proposal to harmonise and streamline the reporting of ICT-related incidents, not only for payment services but across the entire EU finance sector (see our publication on DORA here). The EBA will continue monitoring these negotiations. 

Depending on the outcome, the EBA Guidelines may eventually be repealed and replaced with the DORA Regulation, which is currently estimated to apply from 2024.

The revised Guidelines

The most relevant amendments of the Guidelines are the following.

  • New classification criterion

The revised Guidelines introduce changes to some of the original classification criteria and introduce a new criterion on the breach of security of network or information systems, which, following the feedback from the public consultation, was narrowed down in scope from ‘breach of security measures’, as originally proposed. 

After assessing these responses, the EBA arrived at the view that the proposal of the new criterion should be reconsidered, since the proposed criterion is indeed rather broad and may cover unintentional operational incidents. This would result in additional incidents to be reported by PSPs that would be of limited use to NCAs, which in turn would be contrary to the objective of the revision of the Guidelines.

The EBA, therefore, assessed a few options on how to proceed and, at the end, decided that “focus the criterion on ‘breach of security of network or information systems” is the most appropriate way to address the concerns raised by the respondents and to meet the objective of capturing additional security incidents that may be of interest to NCAs. 

A detailed description of this criterion has therefore been introduced in Guideline 1.3. 

In particular, this (new) criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services and it would allow the reporting of additional security incidents that would be of interest to supervisors.

  • Timeline for classification of incidents

To reduce the reporting burden on PSPs, the EBA removed unnecessary steps from the reporting process and allowed more time for the submission of the final report to the NCA. 

The EBA proposed in the consultation paper changes in the Guidelines in order to clarify that the four‐hour deadline for submission of an incident report from PSPs to NCAs applies after the incident has been classified as major against the criteria set in the Guidelines. 

A few respondents commented on the timeline for classification of the incidents and, that additional clarity is needed on the deadline that should apply to the classification of the incidents after they are detected.  

To address these concerns, the EBA further clarified in Guideline 2.9 that the classification of the incident should take place within 24 hours of its detection, inter alia to avoid situations where PSPs might take an excessively long time to classify the incidents. 

The EBA also clarified in the same Guideline that, on the rare occasions when the incident cannot be classified within 24 hours, the PSP should justify to the NCA why this has been the case.

  • Number of reports and deadline

In order to simplify the incident reporting process and reducing the notification burden on PSPs, the requirement to provide an update of the intermediate report every three days until the major incident is being resolved was removed from the Guidelines.

In addition, the revised Guidelines now provide:

  • that PSP should submit an intermediate report to the NCA if regular activities have been restored and business is back to normal, in line with Guideline 2.12 (previous Guideline 2.13);

  • in the event that the PSP becomes aware of significant change to the information provided with an intermediate report (including the specific case where the incident has not been resolved in three working days but at a later stage), the PSP should submit another intermediate report (Guideline 2.14). This additional intermediate report has no specific deadline for its submission and is based on the assessment of the PSP.

  • an extension of the deadline for the submission of the final report from 2 weeks to maximum 20 working days.

  • Thresholds and calculation methods for the criteria of ‘transactions affected’ and ‘payment services users affected’

As proposed in the consultation paper, the revised Guidelines: 

  • increase the thresholds of the incident classification criteria: ‘Transactions affected, in relation to this, the EBA has increased the total amount of transactions affected with lower impact level from; 100,000 EUR to 500,000 EUR, and from 5 million EUR to 15 million EUR for higher impact;

  • amend the criteria to the assessment of the lower impact level of the ‘transactions affected’ by using the percentage and the absolute amount thresholds as alternatives, but also adding a condition where if the incident is of an operational nature and relates to the inability of the PSP to initiate and/or process transactions, the incident must have a duration of at least one hour.
    The same changes applies to the lower impact level of the ‘payment services users affected’.
  • Reporting standardisation
     

The EBA also simplified and optimised the standardised reporting template in Annex I. 

Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird’s previous alerts, please check out our Payments In Focus webpage here.

 

 

Authors