PSD2: EBA proposes changes to Guidelines on major incident reporting after latest review

Following the EBA’s latest required review of its July 2017 Guidelines on major incident reporting under PSD2, it is consulting on some specific proposals including changes to reporting thresholds and criteria to improve accuracy in the results and improvements to the reporting process to facilitate compliance by PSPs. The revised Guidelines are expected to come into force on 1 October 2021. With the end of the post-Brexit transition period fast approaching, the FCA has recently confirmed that its “supervisory expectation in respect of [European Supervisory Authorities (ESA)] Guidelines and Recommendations remains the same” unless it has notified the relevant ESA otherwise. The FCA will consider new or updated guidance issued after the end of the transition period and, where appropriate, set out expectations as to how it should be treated. Firms should therefore expect to be told by the FCA if they need to comply with the updated version of these Guidelines once published.

By way of reminder, PSD2 requires firms to report major operational or security incidents in line with Guidelines published by the EBA. The current Guidelines define a major incident as an operational or security incident that meets one or more specified criteria at the ‘Higher impact level’ or three or more such criteria at the ‘Lower impact level’.

PSD2 requires the EBA to review its incident reporting Guidelines at least every 2 years ( Art 96(4)). Following its latest review, the EBA has identified that the number of reports varies significantly between Member States. It also noted that Member States diverged in terms of the average number of reports per payment service provider (PSP).

According to the consultation paper containing the draft revised Guidelines, only 38% of credit institutions filed reports and just 6% of payment or e-money institutions – suggesting underreporting and a lack of awareness of the Guidelines. The EBA believes this results from the application of the Guidelines by PSPs rather than the Guidelines themselves. However, it has proposed some specific changes.

Thresholds and criteria

The majority of the submitted incidents (around 95%) were categorised by PSPs as being of an operational nature and very few were security incidents (5%). The EBA believes this is due to:

  • a large number of reported operational incidents appearing to have a very low impact on the institution, with most of them related to failure of less significant tasks and single processes (e.g. further processing of batch-payments in net settlement systems, temporary glitches) without a significant impact on the PSP or its payment service users (PSUs);
  • some of the security incidents not being captured by the current criteria and thresholds; and
  • the quantitative threshold for ‘Transactions affected’ leading to very uneven numbers between the operational and security incident reports, and in particular the threshold set for the higher impact level is too low for operational incidents.

The EBA also observed that reporting was most often triggered because of the thresholds of the following criteria being met:

  • Transactions affected (mainly higher impact level);
  • Service downtime;
  • High level of internal escalation (lower impact level);
  • Reputational impact; and
  • Payment service users affected (mainly higher impact level).

As a result, the EBA proposes the following changes to its thresholds/criteria:

Criteria

Lower impact level

Higher impact level

 

 

Transactions affected

> 10 % of the payment service provider’s regular level of transactions;

and or

> EUR 100,000 500,000

and

(in either case) duration > one hour*

 

 

> 25 % of the payment service provider's regular level of transactions;

or

> EUR 5,000,000 15,000,000

Clients affected

> 5,000

and or

> 10 % of the payment service provider’s clients

and

(in either case) duration > one hour*

 

> 50,000;

 

or

 

> 25 % of the payment service provider's clients

 

Service downtime

> 2 hours

N/A

 

Breach of security measures**

Yes

N /A

 

Economic impact

N/A

> Max (0,1 % Tier-1 capital, EUR 200,000)

or

> EUR 5,000,000

 

High level of internal escalation

 

Yes

Yes, and a crisis mode (or equivalent) was called upon

 

Other PSPs/or relevant infrastructures potentially affected

 

Yes

N/A

 

Reputational impact

 

Yes

N/A

 

* Only in respect of operational incidents that affect the ability of the PSP to initiate and/or process transactions. This duration element remains different from the separate criterion ‘Service downtime’, and is limited to those operational incidents that affect the ability of the PSP to initiate and/or process transactions. The EBA considers that while the two may overlap to some extent for a small subset of major incidents, there are cases where the issues affecting the initiation and/or processing of transactions may be rectified within a period shorter than one hour, but the overall unavailability of the PSP’s services to the PSU is longer than two hours.

** This new criterion would cover cases where one or more security measures, as referred to in Guideline 3.4.1 of the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), have been violated, with impacts on the availability/integrity/confidentiality/authenticity of payment services related data, processes and/or systems of the PSP, its PSUs or a third party to which operational functions have been outsourced.

The EBA observed that the ‘High level of internal escalation’ and ‘Reputational impact’ criteria are often met and subsequently reported together. It considered that this may be due to the fact that these criteria are usually consequential to other criteria being triggered, can be triggered by institutions that are erring on the safe side and they are very subjective. It proposes minor amendments to the description of these criteria in Guideline 1.3 and the examples provided in the Annex to the Guidelines to clarify when they should be used.

The EBA also came to the conclusion that many PSPs cannot differentiate between ‘availability’ and ‘continuity’ as properties that may be affected by an operational or security incident. Since the two are indeed very close in nature, the EBA proposes to merge them into ‘availability’ and  expand the definition of the term to “the property of payment-related services being fully accessible and usable by payment service users, according to acceptable predefined levels.”

Deficiencies in the reporting process

The EBA also identified certain issues PSPs have had in complying with the reporting process, in some cases  breaching the requirements. These include using variations of templates, providing the initial, intermediate and final reports as separate items rather than incrementally, missing deadlines, not providing sufficient detail, and in some cases not updating previous information/reclassifying incidents to non-major.

The EBA seeks to remedy this by introducing a standardised file of templates, clarifying the requirements for incremental reports (e.g. when submitting the intermediate report, the PSP should include the initial report – updated as necessary), changing the type and level of data required to increase granularity and ensure all fields are populated, easing the deadlines for submission, and requiring certain information to be provided to regulators earlier in the process (e.g. high level information on the type of incident and relevant criteria should be provided in the initial report, high level information on the cause in the intermediate report, and more granular detail in the final report).

UK FCA approach to EU guidelines after end of post-Brexit transition period on 31 December 2020 (or “implementation period completion day” (IPCD))

In updated guidance published on 1 October 2020,  the FCA has stated that its “supervisory expectation in respect of [European Supervisory Authorities (ESA)] Guidelines and Recommendations remains the same. Persons requiring authorisation or recognition to continue to provide services in the UK post-IPCD will become subject to these expectations.” The Regulator has notified the ESA where it intends not to comply with part of or all of a particular Guideline – but does not include the EBA Guidelines on major incident reporting in the list of examples provided.

Post the transition period, the FCA “may determine that firms, financial institutions or market participants are no longer expected to ‘make every effort to comply’ with a particular pre-IPCD Guideline, for example, due to changes made to the relevant legislation”. However, the FCA also states that in those circumstances, it may issue guidance accordingly. In terms of new or updated guidance issued after the end of the transition period, the FCA will consider such materials and where appropriate, set out expectations as to how they should be treated.

UK FCA approach to incident reporting

The Supervision manual (SUP) in the FCA Handbook requires that UK PSPs must comply with the relevant parts of the EBA Guidelines on incident reporting when notifying the FCA of a major operation al or security incident under Reg 99 of the PSRs (SUP 15.14.20D). The Guidelines referenced are the guidelines “as issued on 27 July 2017”. As such SUP does not anticipate/cater for amendments.

In light of the above, firms should expect to be told by the FCA if they need to comply with the updated version of these Guidelines once published.

Next steps

The EBA consultation closes on 14 December 2020. It will publish a final report in due course, and the revised Guidelines are expected to come into force on 1 October 2021.

If you would like to discuss any of the above, please contact us.

 

 

Authored by Charles Elliott

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.