EBA final Guidelines on major incident reporting under PSD2

At least 17 EU Member States have compulsory operational incident reporting requirements in place that payment service providers (PSPs) have to comply with. However, there are disparities in the criteria used by competent authorities for the fulfilment of those reporting obligations, the notification procedure to be followed, etc, thereby hampering the establishment of a level-playing field and internal market for payment services in the EU.

Although the major incident notification requirements contained in the Article 96(1) PSD2 will require PSPS to adjust their IT systems/databases to the new reporting requirements, it is expected that the EU-wide common standard will ensure, together with the EBA guidelines, a uniform framework for major incident reporting across the EU, and therefore will benefit PSPs operating in different EU countries compared to today's situation.

In addition to Article 96(1) PSD2 which imposes notification requirements upon PSPs, Article 96(2) PSD2 imposes requirements upon public authorities to share amongst each other information about incidents. It is Article 96(3) that confers the EBA a mandate to issue guidelines addressed to PSPs (on the classification of incidents, as well as the content, form and procedure for notifications) and to authorities (on how to assess the relevance of incident for other authorities).

On 7 December 2016, the EBA launched a consultation on draft Guidelines on major incident reporting, which ended on 7 March 2017. Following analysis of the 43 responses to that consultation, the EBA published the final guidelines on 27 July 2017 which are available here.

Like all EBA guidelines, the final guidelines on incident reporting are subject to a "comply or explain" principle, meaning that national competent authorities should decide whether they will enforce those guidelines in their country, or not. Given the above stated PSD2 objective of having more consistent and efficient incident reporting mechanisms in place in all EU countries, it is expected that all, or almost all, national competent authorities will decide to "comply" with the EBA guidelines. They will become applicable on 13 January 2018, i.e. the deadline for Member States to implement PSD2 within their national legal order.

1. Notification requirements for PSPs

Article 96(1) PSD2 provides that:

"In the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider.

Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident" (emphasis added).

The EBA guidelines only deal with the notification requirement to competent authorities, and therefore does not deal with the notification to the payment service users.

The first part of the guidelines defines EU-wide criteria and thresholds to be used to assess whether or not an operational or security incident should be considered as "major" (and therefore to be reported to the competent authority), or not.

The table below, which is extracted from the EBA guidelines (page 23), contains seven quantitative and qualitative criteria. An incident qualifies as "major" if either one (or more) criteria of ‘Higher impact level’ are met, or at least three criteria of the 'Lower impact level'. 

For more information about the meaning of each of these criteria, see pages 20-23 of the EBA guidelines.

If an operational or security incident qualifies as "major", PSPs should produce incident reports to the competent authority in the home Member State, using the template provided by the EBA in annex to the guidelines. There are three kinds of reports, corresponding to the three different sections of the template (PSPs are therefore expected to complete each of the sections in a cumulative way, so that the final report contains information on all fields):

• Initial report. PSPs should send the initial report to the competent authority within 4 hours from the moment the major operational or security incident was first detected³. PSPs should fill in section A of the template, featuring only some basic characteristics of the incident and its expected consequences.
• Intermediate report. PSPs should submit a more detailed description of the incident and its consequences (section B of the template). PSPs should submit intermediate reports every time they consider that there is a relevant status update and, as a minimum, by the date for the next update indicated in the previous report (as soon as possible and under no circumstances go beyond 3 business days). When they become aware of new relevant information or significant changes since the previous notification, PSPs should also produce additional intermediate reports by updating the information already provided in sections A and B of the template. PSPs should send the last intermediate report when regular activities have been recovered and business is back to normal.
• Final report. PSPs should deliver the final report to the competent authority within a maximum of 2 weeks after business is deemed back to normal. PSPs should then include full information, i.e. (i) actual figures of the impact in sections A and B, (ii) in section C of the template, the root cause and a summary of measures adopted or planned to be adopted to remove the problem and prevent its recurrence in the future.

PSPs may delegate their incident-reporting obligations to a third party provided that the delegation complies with the requirement for the outsourcing of important operational functions, and after having informed the local competent authority (see section 3.1 of the guidelines).

When an incident originates from a third party provider used by several PSPs (e.g. a processor), the PSPs using that third party may entrust the incident reporting requirement to that third party, who will report the incident on a consolidated basis (see section 3.2 of the guidelines).

2. Notification requirements for competent authorities

Article 96(2) PSD2 provides that:

"Upon receipt of the notification referred to in paragraph 1, the competent authority of the home Member State shall, without undue delay, provide the relevant details of the incident to EBA and to the ECB. That competent authority shall, after assessing the relevance of the incident to relevant authorities of that Member State, notify them accordingly.

EBA and the ECB shall, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system.

On the basis of that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate safety of the financial system." (emphasis added)

In the EBA guidelines, it is confirmed that the national competent authorities should always provide the EBA and the ECB with all reports (initial, intermediate and final reports) received from PSPs affected by a major operational or security incident. No specific timeframe for sending these reports has been determined by the EBA in the guidelines, but only a requirement to "avoid delays" in the transmission of the information (section 8.2 of the EBA guidelines guidelines).

In addition, national competent authorities should assess if a major or security incident could be relevant to other national competent authorities. The EBA provides with a list of criteria to be used by a national authority in order to make that assessment (see section 5.1 of the guidelines). Once other national authorities have been identified, the national authority should share with them a number of pieces of information (see section 6.2 of the guidelines). The information should be shared, as a minimum, at the time of receiving the initial report, and when they are notified that business is back to normal⁴.

3. Links between PSD2, on the one hand, and GDPR and NIS directive, on the other hand

It is important to note that links exist between the above-mentioned notification requirement under PSD2, and in those set out in the GDPR and the NIS directive, creating potential confusion for PSPs:

• Under the GDPR (applicable as from 25 May 2018), a personal data breach should be notified "without undue delay", and pursuant to Article 33 GDPR "without undue delay" means that the report should occur no later than 72 hours after having become aware of the breach – whereas, as mentioned above, under Article 96 PSD2 "without undue delay" means that the initial report should be submit by the PSPs within 4 hours from the major operational or security incident being detected. In addition, the reports should be submitted to different authorities: the first one to the local data protection authority, whereas the second one to the competent authority in charge of enforcing PSD2. For the latter, a template form has been devised by the EBA, whereas no template has yet been devised for reporting under GDPR (although existing templates are available at national level)
• The NIS directive (also known as the cybersecurity directive), which is due to be implemented in the laws of EU Member States by 9 May 2018, imposes reporting requirements, including upon credit institutions that are designated by Member States as “operators of essential services” (OES). However, Article 1(7) NIS directive provides that "Where a sector-specific Union legal act requires operators of essential services […] either to ensure the security of their network and information systems or to notify incidents, provided that such requirements are at least equivalent in effect to the obligations laid down in this Directive, those provisions of that sector-specific Union legal act shall apply". In our view, PSD2 qualifies as sector-specific EU legislation providing for security measures (Article 95 PSD2) and incident reporting obligations (Article 96 PSD2) that are at least equivalent to the obligations contained in the NIS directive, and therefore credit institutions that are designated as OES should be required to comply with the equivalent provisions of the NIS directive. However, a question remains in relation to credit institutions designated as OES that would face incidents in relation to payment transactions that fall outside the scope of PSD2, e.g. in relation to a "limited network" payment instrument: should the credit institution then comply with the NIS reporting requirements, or not? In our view, that should not be the case.

The author is grateful to Constance Eckardt-Descout for the preparatory work on this article.

This article was first published in the October edition of Payments & FinTech Lawyer. 

^{2 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union}

^{3 In the draft version of the guidelines, the EBA has proposed 2 hours.}

^{4 It should be noted that the guidelines seem to adopt a contra legem interpretation of Article 96(2) PSD2. According to Article 96(2), it is "the EBA and the ECB [which] shall, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. […]". However, the guidelines seem to entrust that assessment and the actual notification to the national authority.}