New PSD2 Guidelines on Major Incident Reporting and Fraud

Cyber attacks and data loss incidents are ever becoming more prominent issues for all firms, not least in financial services and the payments sector. Regulatory requirements are growing fast; regulators need to be notified and customers may need to be told. The legal, reputation and economic impacts are significant. At the end of July, the European Banking Authority, pursuant to its mandate under the recast Payment Services Directive (PSD2) published Guidelines for national supervisors on major incident reporting requirements by payment services providers (PSPs). Conscious that other incident notification frameworks exist (e.g., the Cyber-security Directive 2016/1148), the European supervisory authority has sought to align them as much as possible with the Single Supervisory Mechanism’s cyber incident-reporting framework for banks. The new guidelines will apply from 13 January 2018, the date that PSD2 takes effect.

PSD2 requires PSPs to put in place incident management procedures to detect and classify major operational or security incidents affecting payment services. These include external and internal events, whether malicious or accidental. Additionally, firms must report such incidents without undue delay to supervisors and to payment service users, where their “financial interests” (whatever this means) are impacted. In what is good news for firms, the EBA has taken on board feedback and doubled the initial reporting deadline from two to four hours, as well as limiting the information to be provided. Incidents that occur outside the EU (e.g., in a parent company or in a subsidiary established elsewhere), but that affect payment services in the EU are also subject to the requirements.

The Guidelines list the criteria to decide if an operational or security incident is of sufficient magnitude to be notifiable. These include the total value and number of transactions and payment users affected, downtimes, economic and reputational impacts and whether other payment services or infrastructures are affected. The EBA has, however, decided against treating issues experienced by different types of PSP differently, for example, where a bank’s dedicated customer interface goes down affecting third party providers which depend on the interface to access accounts.

Published alongside the Guidelines are templates for the reports that PSPs must submit during incidents. Where an incident originates with a firm it may employ “consolidated” reporting with other affected payments businesses through a service provider. Firms should note that the EBA has now helpfully clarified that “near misses” (i.e., incidents which might have been major incidents but are resolved before they crystallise) need not be reported.

In quick succession, the EBA is also consulting on two sets of draft guidelines on fraud reporting requirements under PSD2, the first addressed to PSPs and the second to supervisors. The data to be collected from firms on a quarterly and an annual basis will be analysed to help reduce payment fraud and also to satisfy requirements to monitor fraud under, for example, the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication (when they are finally adopted). Feedback must be received by 3 November this autumn.

Richard Powell is a professional support lawyer within Baker McKenzie's global financial services group where he is responsible for supporting the group's legal and technical knowledge.