Improving Major Incident Reporting For Payment Services

Larry FenelonPartner, Leman Solicitors

The European Banking Authority (EBA) is consulting on changes to guidelines for payment service providers (PSPs) on reporting major operational and security incidents to their local regulator in the European Economic Area. As briefly explained below, the EBA has found problems with awareness of the current guidelines and non-compliance with reporting obligations. This in turn suggests that customers cannot assume local regulators are able to properly supervise PSPs approach to major incidents; and that the PSPs themselves may not be taking appropriate steps to avoid or mitigate them. Hopefully, increased awareness of the guidelines (and the changes when they take effect), will improve both operational resilience and security. Responses to the consultation are due  by 14 December and the changes should take effect in Q4 2021. 

Background

The European Banking Authority (EBA) issued guidelines on major incident reporting in 2017. These set out the criteria, thresholds and methodology to be used by PSPs to determine whether or not an operational or security incident should be considered major; how it should be notified; and how the local regulator should assess the relevance of the incident to other authorities and share the information when appropriate.

Meanwhile, the European Commission has published a proposed EU regulatory framework on digital operational resilience (DORA), which goes beyond payments-related incidents but will take several years to be implemented. The EBA therefore proposes to revise its earlier Guidelines to take effect in Q4 of 2021, pending implementation of the DORA requirements.

Reports of Major Incidents Under the Current Guidelines

For the two years to 31 December 2019, there were 5763 major incident reports (an average of 313 a month). The number varied significantly between Member States, ranging from a few to hundreds, and by PSP across different Member States with figures ranging up to 7 major incident reports per PSP. On average, 38% of the credit institutions in the EU have submitted an incident report but only 6% of all payment institutions and e-money institutions. It seems unlikely that none of the remaining payment service providers have suffered a single major incident…

The EBA has found that most major incidents reported by PSPs are operational in nature (95%) and the rest are security related. But some major security incidents that occurred seem not to have actually been reportable under PSD2. 

Reports were most often triggered by the following criteria:

  • Transactions affected (mainly higher impact level);
  • Service downtime;
  • High level of internal escalation (lower impact level);
  • Reputational impact; and
  • Payment service users affected (mainly higher impact level).

The operational incidents that were reported tended to have a very low impact as they involved the failure of less significant tasks and single processes that were temporary and could be repeated quickly enough not to have a major impact.

The EBA also found evidence of non-compliance in the reports themselves:

  1. Variations to the specified templates;
  2. submitting the three different reports (initial, intermediate and final) related to the same incident separately;
  3. late filings;
  4. incomplete reports;
  5. insufficient details of the incident;
  6. not updating information provided in previous reports;
  7. not reporting the reclassification of the incident from major to non-major in the final report;
  8. not reporting incidents affecting services outsourced to third parties; and
  9. insufficient information provided where reporting is delegated.

The Revised Guidelines

The problems with the current guidelines are discussed in Chapter 3 of the consultation paper and the revised guidelines themselves are in Chapter 4 of (pages 17-49). The cost-benefit analysis, impact assessment and consultation questions are in Chapter 5.

Hopefully the increased awareness of the current guidelines, and the changes when they take effect, will increase the attention given by PSPs to major incidents and how to avoid or mitigate them. For more on the topics discussed here contact Leman Solicitors on 01 6393000 or visit www.leman.ie