EU Consultation on Proposed Revisions to the Guidelines on Major Incident Reporting for Payment Service Providers

The European Banking Authority has opened a consultation on proposed revisions to the Guidelines on major incident reporting under the revised Payment Services Directive. PSD2 requires payment services providers to establish and maintain effective incident management procedures for, among other things, detecting and classifying major operational or security incidents. PSPs are required to notify their home state regulator if a major incident occurs. The Guidelines, which have applied across the EU since January 1, 2018, stipulate the criteria that PSPs should use to classify an operational or security incident as "major." Major incidents must be reported to a PSP's national regulator using the format provided in the Guidelines. The EBA is consulting on targeted amendments to the Guidelines. Responses to the consultation may be submitted until December 14, 2020. The EBA expects that the revisions to the Guidelines will become applicable by Q4 2021.

The EBA is proposing to amend the Guidelines to simplify the major incident reporting by standardizing the reporting template and removing data fields and by reducing the number of reports and extending the deadline for submitting the final report. In addition, it is proposed that the thresholds to be reached before the requirement to report applies will be amended and that the number of operational incidents required to be reported will be reduced by removing incidents that do not have a significant impact on the operation of a PSP. The EBA is also proposing a new incident classification criterion to capture incidents where the breach of a PSP's security measures impacts the availability, integrity, confidentiality and/or authenticity of payment services related data, processes and/or systems.

View the EBA's consultation paper.

View details of the existing Guidelines on major incident reporting.

Return to main website.