Holland FinTech Logo
Guest Blog
eman 1-4
Published
Share

Bird&Bird Guest Blog: EBA consults on changes to its guidelines on major incident reporting under PSD2

On 14 October 2020, the European Banking Authority (EBA) launched a public consultation on the revision of the current EBA Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) -EBA/GL/2017/10- (the “Guidelines”). Industry stakeholders interested in submitting their input to the consultation paper can do so until 14 December 2020. The consultation paper is available here.

The Guidelines set out the criteria, thresholds and methodology payment services providers (PSPs) will have to observe in order to determine whether an operational or security incident should be considered as major, and (assuming it qualifies as major) how such an incident should be notified to their national competent authority (NCA), under Article 96(2) PSD2.

This consultation is part of the bi-annual review process of the Guidelines set forth in Article 96(4) PSD2. The EBA assessed incidents reported in 2018 and 2019 and the ways in which they were notified to the different NCAs. The result of the assessment led the EBA to propose some amendments to the Guidelines which would optimise and simplify; the reporting of major incidents and the underlying templates, the capture of additional security incidents, and relieve NCAs and PSPs from the notification of incidents that are not significant.

The most relevant amendments proposed by the EBA are as follows:

  • New criterion on incident classification

    In addition to the existing criteria to classify incidents as major under the Guidelines (see our previous client alert on this topic here) the EBA proposes to introduce a new incident classification: ‘breach of security measures’.Accordingly, PSPs shall take into account whether one or more security measures (as defined in the EBA Guidelines on ICT and security risk management -EBA/GL/2019/04-) have been breached in order to determine if an incident qualifies as major or not. This amendment is aimed at capturing incidents where the breach of the security measures of the PSP has an impact on the availability, integrity, confidentiality and/or authenticity of the payment services related data, processes and/or systems of the PSP, its users or a third party to which operational functions have been outsourced.
  • Thresholds to be increased, new calculation methods for the criteria of ‘transactions affected’ and ‘payment services users affected’

    The EBA proposes to increase the thresholds of the incident classification criteria: ‘Transactions affected, in relation to this, the EBA has increased the total amount of transactions affected with lower impact level from; 100,000 EUR to 500,000 EUR, and from 5 million EUR to 15 million EUR for higher impact.In addition to the increase of the threshold of ‘transactions affected’ in the higher impact level, the EBA proposes an amendment to the assessment of the lower impact level of the ‘transactions affected’ by using the percentage and the absolute amount thresholds as alternatives, but also adding a condition where if the incident is of an operational nature and relates to the inability of the PSP to initiate and/or process transactions, the incident must have a duration of at least one hour.

    The same changes are being proposed to the lower impact level of the ‘payment services users affected’.

  • Reporting standardisation

    In order to improve the quality of the reports collected, and to simplify the reporting process for PSPs, the EBA also proposes the use of a common standardised file for reporting major incidents to NCA.The new report template is available in Annex I of the consultation paper on the Guidelines.
  • Reduction of the number of reports

    The EBA proposes a simplification of the incident reporting process and reducing the notification burden on PSPs, in particular by:

    • removing the obligation for PSPs to provide updates to the intermediate reports every 3 working days;
    • extending the deadline for the submission of the final report from 2 weeks to 20 working days;
    • clarifying that the 4-hour deadline applies from the moment the incident has been classified as major (not from the moment when it has been detected).

Read the original article here. Find out more about Bird & Bird here.

Share this Article
Related Insights
All your data in the ID wallet? “We don’t believe in that”
Apr 23, 2024
When will the Dutch ID wallet be available? How does it work?
Mar 14, 2024
M11 Funds: “2024 Will Be The Year Of Broad Institutional Adoption Of Digital Assets”
Dec 21, 2023
Featured
Capture d'écran 2024-03-15 110338
Holland Fintech Digital Transformation Paper 2024
Holland Fintech is proud to present the Digital Transformation Paper 2024. This whitepaper, led by the Holland Fintech working group Digital Transformation in collaboration with Accenture, provides valuable insights into the dynamics and key factors influencing successful collaborations between fintechs and incumbents.
Free Download
Capture d'écran 2024-03-15 105907
Holland Fintech Pavilion at Money 20/20
Money 20/20 – Join our Pavilion! The Holland Fintech Pavilion offers a unique opportunity to connect with a global audience of fintech professionals. Located at the heart of Money 20/20, the pavilion provides a central hub for networking, collaboration, and exposure.
More information
24
Amsterdam Fintech Week
Amsterdam FinTech Week is back on 2-4 October 2024! Be a sponsor, co-organizer, or just participate in our community events.
Learn More

All Rights reserved.

2024 © Servus