On 10 June 2021 the European Banking Authority (EBA) published its revised Guidelines on major incident reporting under the Payment Service Directive (PSD2).
The revised Guidelines aim to simplify reporting and the corresponding templates, to capture additional security incidents, and to decrease reporting on incidents currently classified as major relating to less significant tasks or single processes.
Directive (EU) 2015/2366 (‘PSD2’) aims to regulate electronic payments within the EU. One of its key objectives is enhancing security which features protection of consumers’ financial data, safe authentication, and a reduction of fraud risk.
Under Article 96(3) of PSD2, the European Banking Authority (‘EBA’), in close cooperation with the European Central Bank (‘ECB’) issues guidelines addressed to:
Major incidents are described under Article 96(1) as ‘major operational or security incidents’. Moreover, under Article 96(4) the EBA shall, in cooperation with the ECB review these guidelines regularly and at least every 2 years.
As part of this 2-yearly revision process, the EBA has published a revised set of guidelines (‘the Revised Guidelines’), which apply from 1 January 2022, following a two-month consultation period where it received 29 responses raising 82 different concerns. The most significant revisions are described below.
New Classification Criterion
On its consultation paper (‘CP’) the EBA proposed a new classification criterion in order to capture more security incidents, namely ‘breach of security measures’. Concerns were raised over the proposed criterion being too broad, cause-based rather than impact-based, difficult to implement and potentially overlapping with other existing criteria in Guideline 1.3.
In revised Guideline 1.3(iii) the EBA narrowed the criterion to ‘Breach of security of network or information systems’, under which:
‘1.3(iii) Payment service providers should determine whether any malicious action has compromised the availability, authenticity, integrity or confidentiality of network or information systems (including data) related to the provision of payment services.’
Standardised File for Submission of Incident Reports to the EBA/ECB
On its CP the EBA initially favoured the introduction of a standardised file for submission of incident reports from PSPs to their respective Competent Authorities. This approach was abandoned mainly owing to increased cost and administrative burden on amending national reporting systems. The EBA settled for introduction of a standardised file for submission of incident reports between the Competent Authorities and the EBA/ECB instead.
To that end, revised Guideline 7.1 reads:
‘7.1. Competent authorities should always provide the EBA and the ECB with all reports received from (or on behalf of) payment service providers affected by a major operational or security incident by using a standardised file made available on the website of the EBA.’
Timeline for Classification of Incidents
Following some confusion over the timeframes within which an incident should be classified as ‘major’ following detection, and once so classified should be reported to the Competent Authorities, the EBA provided much needed clarity under revised Guideline 2.9 which is to be read in conjunction with Guideline 2.8:
‘2.8. Payment service providers should send the initial report to the competent authority within four hours from the moment the operational or security incident has been classified as major (…).
2.9. Payment service providers should classify the incident (…) in a timely manner after the incident has been detected, but no later than 24 hours after the detection of the incident (…) If a longer time is needed to classify the incident, payment service providers should explain in the initial report submitted to the competent authority the reasons why.’ (our emphasis)
Thresholds and Incident Duration
Of note is the overall increase in threshold levels on both lower impact and higher impact level reporting on transactions affected, from €100,000 to €500,000 for lower, and from €5,000,000 to €15,000,000 for higher impact respectively.
Moreover, on lower impact level adjudged under the ‘transactions affected’ and ‘payment service users affected’ criteria, the conditions to be fulfilled are no longer cumulative but in the alternative, while there is the added condition that operational incidents affecting the ability of the service provider to initiate and/or process transactions have to last in excess of 1 hour.
Potential Overlap with DORA
On 24 September 2020 the European Commission published its proposal for Digital Operational Resilience for the Financial Sectors (DORA). Currently under negotiation, DORA covers and exceeds the scope on major incident reporting under the Revised Guidelines. The EBA expects DORA shall be finalised and apply in 2024/2015, therefore the Revised Guidelines shall apply from 1 January 2022 until then, notwithstanding potential amendments in the meantime.