February 29, 2020

February 28, 2020

Subscribe to Latest Legal News and Analysis

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

PSD2 Major Incident Reporting Guidelines

On July 27 2017, the European Banking Authority (EBA) published the Final Guidelines (the Guidelines) on major incident reporting under the revised Payment Services Directive (PSD2). The Guidelines were developed in conjunction with the European Central Bank (ECB), and are addressed to all payment services providers and competent authorities within the 28 European Union Member States. With the expected implementation of PSD2 in January 2018, the Guidelines further contribute to the objective of the PSD2 aiming to minimize disruption to its users, payment service providers and the systems.

The aim of the Guidelines is to identify the criteria, thresholds and methodology that payment service providers will be expected to consider when determining if an operational and security incident should be considered major, and therefore, require notification to the competent authority in the Home Member State. PSD2 assigns to the EBA and ECB a central coordination role, in this context. The competent authority in the home Member State swiftly shares with the ECB and EBA details of the incident. This permits a collective decision and assessment to be made about the significance of the incident to these other Union and national authorities. Where appropriate, the EBA and ECB will notify accordingly.

The EBA launched the initial consultation on the draft Guidelines on 7 December 2016, accumulating 43 responses to the Consultation Paper, which the Guidelines summarises and incorporates in some amendments from the draft Guidelines, in particular providing for further definition to the criteria, review of one of the thresholds, providing an extension to the deadline for the first report and generally clarified information to be provided at each stage of the reports.

These Guidelines provide the template that payment service providers are required to use for this notification and the reports that they are required to send during the lifecycle of the incident, including the timeframe to do so. The Guidelines also provide for a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of PSD2.

The Guidelines will apply from 13 January 2018.

Rizwan Qayyum also contributed to this article.

Copyright 2020 K & L Gates


About this Author

Judith E. Rinearson, KL Gates, federal consumer protection lawyer, anti money laundering attorney

Judith Rinearson is a partner in the firm’s New York and London offices. Ms. Rinearson concentrates her practice in prepaid and emerging payment systems, electronic payments, crypto/virtual currencies, reward programs, ACH and check processing. She has more than 25 years of experience in the financial services industry, including 18 years at American Express’s General Counsel’s Office. Her expertise focuses particularly in the areas of emerging payments and compliance with state and federal consumer protection laws, anti-money laundering laws, state money transmitter...