The European Banking Authority has published new Guidelines on major incident reporting, under Directive (EU) 2015/2366 (PSD2). Article 96 PSD2 requires payment services providers to establish a framework to maintain effective incident management procedures, including for the detection and classification of major operational or security incidents. The new Guidelines set out criteria for payment services providers to determine what constitutes a major incident (and therefore identify incidents which must be notified to the competent authority) and sets out the criteria for competent authorities to use when assessing the relevance of reported incidents and how to share these incidents with other domestic authorities.
What do the new Guidelines contain?
For payment services providers, the new Guidelines:
Where permitted by the competent authority, the Guidelines allow for the possibility that payment services providers delegate their incident reporting obligations to a third party, provided that a number of conditions are met. According to the EBA, this possibility will ensure that the provisions and tools offered in the Guidelines mirror the current practice on incident reporting.
Additionally, the Guidelines provide payment services providers the possibility of reporting their incidents through a designated third party (e.g. an account information service provider, or a payment initiation service provider) in a way that is consolidated with other affected payment services providers with their seat in the same Member State, under the condition that the incident has been caused by a disruption in the services provided by that third party.
For competent authorities, the new Guidelines:
How do the new Guidelines affect you?
PSD2 must be implemented into national law as of 13 January 2018. These Guidelines clarify the requirements under article 96 (3) PSD2, and should be included in your incident management procedures.
For the new Guidelines, click here. If you have any questions, please contact Willem Röell or Christian Godlieb.
DNB to provide more information on the implementation of PSD2 in September
The DNB has indicated that it aims to provide more information on the implementation of PSD2 in September 2017, by, among other initiatives, organising a seminar on this topic on 26 September 2017. For more information, please click here.