BaFin publishes updated circular on reporting major payment incidents

Written By

michael juenemann module
Dr. Michael Jünemann

Partner
Germany

As co-head of the global Finance & Financial Regulation Practice Groups and head of the German Finance & Financial Regulation Practice Group, I advise on national and international finance and capital markets law as well as on commercial and corporate law. I am also a member of the international steering group of our Financial Services Sector Group.

johannes wirtz Module
Johannes Wirtz, LL.M. (London)

Partner
Germany

As partner in our Finance & Financial Regulation Group in Frankfurt, I advise our national and international clients on banking regulatory issues and finance law.

timo foerster Module
Timo Förster

Associate
Germany

As an associate in our Finance & Financial Regulation Practice Group located in Frankfurt, I advise international and national clients on regulatory issues and finance law.

On 9 March 2022, BaFin published an updated circular on the reporting of major incidents at payment service providers pursuant to Section 54 (1) ZAG.

Circular 03/2022 (BA) tracks the EBA's amendments to the Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) in BaFin's administrative practice. The EBA had reviewed and updated these guidelines in 2021. The new circular now presents the legal situation that will apply from 1 October 2022. Simultaneously with the start of the new circular on 1 October 2022, the old BaFin Circular 08/2018 (BA) of 7 June 2018 will be repealed - it will continue to apply until then.

Pursuant to Section 54 (1) sentence 1 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG), a payment service provider must notify BaFin without delay of a major operational or security incident. The BaFin circular specifies the manner in which the obligated companies are required to report and when this is triggered.

Addressees of the circular

The circular is not addressed to all payment service providers under the ZAG. The scope of application includes payment institutions and e-money institutions. In addition, CRR credit institutions and the Kreditanstalt für Wiederaufbau are to comply with the circular if they provide payment services. Central banks and the public sector are thus not covered.

Furthermore, the circular is only applicable if the payment service provider has its registered office in Germany or if it is a branch of a company with its registered office outside the EEA (Section 53 of the German Banking Act (Kreditwesengesetz - KWG) and Section 42 ZAG).

Innovations and adjustments are particularly significant in this context because operational or security incidents must be classified quickly and no later than 24 hours after detection and must be reported as major within four hours of classification.

Major security incident

Payment service providers must report major security incidents to BaFin. The circular now issued by BaFin (as well as its predecessor circular) is intended to support payment service providers in classifying a security incident as "major".

BaFin first defines what it understands by an operational or security incident. In a second step, it can then be clarified whether this operational or security incident is also major within the meaning of section 54 ZAG. The circular defines the term operational or security incident as 

"an incident consisting of a single event or a chain of events which was not intended by the payment service provider and which has or is likely to have an adverse effect on the integrity, availability, confidentiality and/or authenticity of payment-related services". 
In this context, BaFin slightly adapts the definition compared to the previous circular, without any significant change in content becoming apparent.

In order to determine whether a major security incident exists, the payment service provider must carry out an assessment. As under BaFin's previous administrative practice, BaFin considers an operational and security incident to be major if at least one criterion of the "high impact level" or at least three criteria of the "low impact level" are met in the assessment to be conducted.


Assessment of operational or safety incidents

As before, payment service providers must assess the operational or security incidents against criteria and the indicators underlying those criteria. Once the respective criterion of the operational or security incident has been identified, indicators (adapted to the respective criterion) can then be used to determine whether the operational or security incident is to be classified as having a low or high impact level with regard to payment security. The circular lists the following criteria to be applied:
 
  1. Total value and number of payment transactions concerned
  2. Number of payment service users concerned
  3. Violation of the security of the network and information systems due to a malicious act 
  4. Duration of the period of absence from work 
  5. Economic impact of the incident
  6. Level of internal escalation: Has the incident in question been reported to managers or is it likely to be reported to them?
  7. Systemic impact of the incident: Is another payment service provider or relevant infrastructure affected?
  8. (Possible) reputational damage to the payment service provider
In renewing this list, BaFin introduces the "violation of the security of the network and information systems through a malicious act" as a new criterion compared to the currently applicable circular.

The criteria mentioned are to be classified on the basis of certain threshold values. BaFin has now (partly) significantly adjusted this classification. In the classification, a distinction must be made as to whether the threshold value has been reached and, if so, whether the exceeding represents a low or high impact level. For this purpose, BaFin has published a table in its circular on the basis of which the categorisation for the intensity takes place. For example, a low impact level exists if more than 5,000 payment service users were affected by the incident for more than one hour. If more than 50,000 payment service users were affected, the impact level is high. For various criteria, an incident duration of more than one hour is now required for the low impact levels.

If no concrete data is available for the assessment of whether a threshold limit has been reached or exceeded and the assessment can therefore not be carried out due to a lack of data, the payment service provider shall make an estimate.

BaFin requires that the payment service provider carries out the assessment continuously during the security incident. In this way, the payment service provider should notice a possible change in the status of the incident as quickly as possible and, if necessary, report it to BaFin.

Reporting procedure

BaFin must be notified of a major incident with the relevant information. The reporting procedure is only slightly changed by the revision of the circular. The incident report must continue to be submitted via the reporting channels (reporting and publication platform - MVP portal) and electronic forms provided by BaFin. A significant change is that additional information (not requested on the reporting form) must now only be submitted upon request by BaFin.

A distinction must be made between initial, interim and final reporting of a security incident. In addition, delegated and consolidated reports may occur if the payment service providers have outsourced their reporting obligation to a third party.

Initial report

An initial report must be made to BaFin as soon as an operational or security incident has been classified as major. BaFin specifies various parameters for the timing. Newly included in the BaFin circular is that the classification of an incident must be carried out within 24 hours after the payment service provider has discovered it. However, this must be done immediately if the relevant information is available. If more than 24 hours are needed for the classification, the reasons for this must be stated in the initial report to BaFin. Whether this means that an initial report is to be made on suspicion and it must be announced therein that more time will be needed for the classification, or whether this means that if classification work takes more than 24 hours, it must be stated in the initial report why there was a delay, is unfortunately not made fully clear. The wording "is needed" instead of "was needed" suggests the former.

Once the classification has been made, the initial notification must be received by BaFin within 4 hours.

Reclassification/upgrading of the incident from non-serious to serious is also reportable. 

When the initial report is made, BaFin assigns a so-called incident identification number, which must be stated in all subsequent reports relating to the incident.

Interim report

The concept of interim reports has been changed significantly. Instead of interim reports having to be submitted in the event of status changes and at self-defined intervals, the interim report (which was already included) is now generally linked to the resumption of regular activities and the restoration of regular operations. Regular operations are deemed to have been resumed when the payment service provider is able to operate again under the usual conditions it has set for processing times, capacity and security requirements, and no emergency measures are active any more.

However, this does not mean that the system of interim reports has been relaxed. Rather, there has been a move away from self-determined deadlines for submitting interim notifications, including the establishment of a three-business-day deadline: If the regular activity could not be resumed within three business days after the initial notification, the payment service provider must also submit an interim notification.

As a result, those required to report must now be prepared to submit interim reports at three-day intervals. In addition, interim reports must be submitted if there have been significant changes since the previous report. As an example, BaFin mentions both worsening and weakening of the incident.

Final message

The payment service provider must send a final report to BaFin when a root cause analysis has been completed. All identified reasons and causes for the security incident must be submitted to BaFin. The closure report must be submitted no later than 20 business days after the payment service provider has resumed regular operations. However, the payment service provider may request an extension of the deadline from BaFin, giving reasons.

Payment service providers may also submit a so-called overall notification, which is a combined initial, interim and final notification, if it already has all the information required for the final notification within the period of four hours since the classification of the incident.

Delegated and consolidated reporting

Payment service providers may outsource the reporting obligations described above. The outsourcing agreement must specify who is responsible for what. The payment service provider remains fully responsible and accountable for the fulfilment of the reporting obligations and the content of the report.

The BaFin must be informed before the reporting obligations are delegated. The BaFin must also be notified of any revocation of the delegation.

Statement

The BaFin circular is already part of a longer tradition that started with the circular 04/2015 (BA) "Minimum requirements for the security of internet payments" (MaSI). Compared to the currently still valid Circular 08/2018 (BA), however, the changes are manageable. The criteria against which a security incident is to be assessed was expanded to include the point of "breach of security of network and information systems". The interim notification procedure has also been revised. In addition, the thresholds for low and high impact levels have been adjusted - in part with significant relief for payment service providers. For example, short interruptions with manageable effects are no longer relevant. This will make the work of payment service providers - but also of BaFin - easier in the future.

With the kind assistance of Lea-Sophie Fehling, LL.M. (Glasgow), Research Associate
 

 

 

 

 

Latest insights

More Insights
blocks

UK: Autumn Budget 2024

Oct 31 2024

Read More
Curiosity line teal background

Riding the Wave - Peak Issues in Australian Law (October 2024)

Oct 18 2024

Read More
glass building

The FCA issues Dear CEO letters to banks, building societies and payments firms setting out its expectations on implementing the APP fraud reimbursement requirements

Oct 17 2024

Read More