On 14 October 2020, the European Banking Authority (EBA) launched a public consultation on the revision of the current EBA Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) -EBA/GL/2017/10- (the “Guidelines”). Industry stakeholders interested in submitting their input to the consultation paper can do so until 14 December 2020. The consultation paper is available here.
The Guidelines set out the criteria, thresholds and methodology payment services providers (PSPs) will have to observe in order to determine whether an operational or security incident should be considered as major, and (assuming it qualifies as major) how such an incident should be notified to their national competent authority (NCA), under Article 96(2) PSD2.
This consultation is part of the bi-annual review process of the Guidelines set forth in Article 96(4) PSD2. The EBA assessed incidents reported in 2018 and 2019 and the ways in which they were notified to the different NCAs. The result of the assessment led the EBA to propose some amendments to the Guidelines which would optimise and simplify; the reporting of major incidents and the underlying templates, the capture of additional security incidents, and relieve NCAs and PSPs from the notification of incidents that are not significant.
The most relevant amendments proposed by the EBA are as follows:
- New criterion on incident classification
In addition to the existing criteria to classify incidents as major under the Guidelines (see our previous client alert on this topic here) the EBA proposes to introduce a new incident classification: ‘breach of security measures’.Accordingly, PSPs shall take into account whether one or more security measures (as defined in the EBA Guidelines on ICT and security risk management -EBA/GL/2019/04-) have been breached in order to determine if an incident qualifies as major or not. This amendment is aimed at capturing incidents where the breach of the security measures of the PSP has an impact on the availability, integrity, confidentiality and/or authenticity of the payment services related data, processes and/or systems of the PSP, its users or a third party to which operational functions have been outsourced.
- Thresholds to be increased, new calculation methods for the criteria of ‘transactions affected’ and ‘payment services users affected’
The EBA proposes to increase the thresholds of the incident classification criteria: ‘Transactions affected, in relation to this, the EBA has increased the total amount of transactions affected with lower impact level from; 100,000 EUR to 500,000 EUR, and from 5 million EUR to 15 million EUR for higher impact.In addition to the increase of the threshold of ‘transactions affected’ in the higher impact level, the EBA proposes an amendment to the assessment of the lower impact level of the ‘transactions affected’ by using the percentage and the absolute amount thresholds as alternatives, but also adding a condition where if the incident is of an operational nature and relates to the inability of the PSP to initiate and/or process transactions, the incident must have a duration of at least one hour.
The same changes are being proposed to the lower impact level of the ‘payment services users affected’.
- Reporting standardisation
In order to improve the quality of the reports collected, and to simplify the reporting process for PSPs, the EBA also proposes the use of a common standardised file for reporting major incidents to NCA.The new report template is available in Annex I of the consultation paper on the Guidelines.
- Reduction of the number of reports
The EBA proposes a simplification of the incident reporting process and reducing the notification burden on PSPs, in particular by:
- removing the obligation for PSPs to provide updates to the intermediate reports every 3 working days;
- extending the deadline for the submission of the final report from 2 weeks to 20 working days;
- clarifying that the 4-hour deadline applies from the moment the incident has been classified as major (not from the moment when it has been detected).