The European Banking Authority (EBA) has published a final report on guidelines on major accident reporting under the revised Payment Services Directive (PSD2). The guidelines set out the criteria, thresholds and methodology to be used by payment service providers (PSPs) to determine whether or not an operational or security incident should be considered major and, therefore, be notified to the competent authority in the member state. In addition, the guidelines establish the template that PSPs will have to use for this notification and the reports they have to send during the lifecycle of the incident, including the timeframe to do so.

To ensure that current practices are reflected to the greatest extent possible, the guidelines also allow for the possibility that PSPs delegate their incident-reporting obligations to a third party, provided that a number of conditions are met. Furthermore, the guidelines give PSPs the possibility of reporting their incidents through a service provider in a way that is consolidated with other affected PSPs, provided that the incident originates within said provider.

In addition, the guidelines establish a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of PSD2. Moreover, they detail the information that, as a minimum, competent authorities should share with these domestic authorities when an incident is considered of relevance for the latter.

Finally, for the purpose of promoting a common and consistent approach, the guidelines also establish requirements regarding the process envisaged in Article 96(2) of PSD2 between competent authorities in the home member state and the EBA / European Central Bank. The guidelines will apply from 13 January 2018.

View Final EBA guidelines on major incident reporting under PSD2, 27 July 2017