Article 96(3) of the Payment Services Directive (recast) (PSD 2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to Member State competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.

The EBA has now published a consultation paper on draft guidelines on major incident reporting under the PSD 2. The draft guidelines set out:

  • the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State;
  • the template that payment service providers will have to use for this notification and the reports they have to send during the lifecycle of the incident, including the time frame to do so; and
  • indicators Member State competent authorities need to use when assessing the relevance of a major operational or security incident to other domestic authorities and the minimum information that Member State competent authorities should share with other domestic authorities when they consider an incident to be relevant.

Finally, for the purposes of promoting a common and consistent approach, the draft guidelines also establish requirements regarding the reporting process envisaged in Article 96(2) of the PSD2 between competent authorities in the home member state and the EBA and ECB.

The deadline for comments on the consultation paper is 7 March 2017.

View EBA consults on guidelines on reporting operational or security incidents under PSD2, 8 December 2016