The EACB welcomes the opportunity to participate in the public consultation on revised Draft Guidelines on major incidents reporting under the Payment Services Directive 2. Already in 2017, in relation to the first edition of the Guidelines, the EACB stressed its concern about the volume and the extreme sensitivity of data and information to be gathered by the authorities. The Guidelines should achieve a balance between what is essential to notify and a realistic timeframe to do so. This principle is particularly relevant for smaller organisations (e.g. many co-operative banks) whose resources are limited. In practice, in smaller organisations, the employees that are investigating the incident are the same ones who fill in the reports relating to the incident. Therefore, oversize reporting and notification requirements mean less time for investigating the problem and preventing its harmful consequences. The current Guidelines require very detailed notification of incidents within a very short timeframe.
In addition, for some co-operative banks the reporting is made by the central body which needs to verify the information with regional cooperative banks (qualification of the incident, quantification of the impacts: number of customers, number of transactions and amounts, …). In this context, reporting obligations should consider the existing diversity within the European banking sector. Emphasis should be given at any time on investigating and repairing the incident rather than in following complex notification procedures.
We welcome the proposed changes which aim at reducing the number of incidents that are required to be reported. For reporting to be meaningful, the reporting obligation should relate to truly major incidents and exclude less significant, more “business as usual” incidents that fall under the current criteria.
In particular, we welcome the reduction of the number of reports that PSPs have to submit. Nevertheless, we believe that even further reduction is warranted. An initial and a final report would be sufficient to attain the goals of the Guidelines whilst the lack of need to submit an intermediary report would save PSPs’ resources.
Having said that, we are aware that the draft Regulation on Cyber-resilience (DORA) and the expected implementing regulations will affect the reporting processes covered by the EBA Guidelines on major incident reporting under PSD2. The need to modify the same reporting process twice in a relatively short period of time would consume significant financial and human resources. We would therefore prefer that the revision of the EBA Guidelines is aligned with the DORA legislative and implementation process.