The EACB welcomes the opportunity to participate in the public consultation on Draft Guidelines on major incidents reporting under the Payment Services Directive 2. In general, we believe that a lighter reporting system within longer deadlines would be more respectful of the diversity of European PSPs. In addition, the delegation of the reporting obligations to a third party (Guideline 3) should be possible within a co-operative group or network. Nevertheless, when such a delegation takes place, co-operative banks and networks should be exempted from fulfilling some of the requirements proposed by the European Banking Authority (e.g. underpinning contract unambiguously defining the allocation of responsibilities). From the perspective of the EACB, these Guidelines should also be consistent with the reporting obligations imposed in other pieces of EU legislation in order to avoid duplications and additional burden for PSPs.
The volume and the extreme sensitivity of the data and information to be gathered by the authorities also poses new challenges that should be properly addressed. The EACB considers that payment services providers should be informed about the security measures implemented by the authorities to keep safe all the information sent in the framework of these reporting obligations.
Beyond the sharing of information between Member States, the ultimate objective of the reporting of operational and security incidents is not totally clear. Feedback from national authorities on the identification of such good practices for example would be highly appreciated. Additionally, PSPs should be entitled to receive warnings from their competent authority about major incidents that could affect them in order to tackle them proactively.