By a circular 18/704 of 17 December 2018 (the Circular 18/704), the Luxembourg regulator of the financial sector, the Commission de surveillance du secteur financer (the CSSF) formally endorsed the Guidelines of the European Banking Authority (EBA) on major incident reporting under Directive (EU) 2015/2366 (PSD2) (EBA/GL/2017/10).
The Circular 18/704 provides details on the new reporting obligation to the CSSF by payment service providers upon occurrence of major operational or security incidents, as set out in article 105-2 (1) of the Luxembourg act of 10 November 2009 on payment services, as amended (the Payment Services Act 2009).
1. Which actors are concerned?
The obligation applies to all payment service providers (as defined in article 1 (37) of the Payment Services Act 2009), including among others:
- payment institutions;
- e-money institutions;
- credit institutions (including their EU branches) providing payment services; and
- the Entreprise des Postes et Télécommunications
(together, the Concerned Entities).
2. What is the new obligation?
If a major operational or security incident occurs, a Concerned Entity must inform the CSSF without delay. The CSSF will in turn inform the EBA and the European Central Bank (ECB) as well as, to the extent relevant, other Luxembourg competent authorities.
Article 105-2 of the Payment Services Act further provides that:
- where the incident has or may have an impact on the financial interests of its payment service users, the Concerned Entity must also notify its payment service users of the incident and of all measures that such payment service users can take to mitigate the adverse effects of the incident without undue delay; and
- in addition, the Concerned Entity must provide, at least on an annual basis, statistical data on fraud relating to different means of payment, to the CSSF (which in turn provides the EBA and the ECB with such data in an aggregated form).
- These two obligations are, however, outside the scope of the present e-Alert1.
3. What is a major operational or security incident?
An operational or security incident is defined in the Guidelines as a “singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services” (as those terms are further defined in the Guidelines).
The Circular 18/704 and the Guidelines make it clear that this concept covers:
- both external and internal events;
- events which are either malicious or accidental; and
- incidents originating within the European Union but also those originating outside of the European Union affecting, directly or indirectly, the payment services provided by a payment service provider established in the European Union.
The Guidelines further detail the criteria to be considered to assess whether an operational or security incident must be categorised as major or not. An operational or security incident should be classified as major if, based on the assessment carried out by a Concerned Entity, it fulfills:
- one or more criteria at the “Higher impact level”; or
- three or more criteria at the “Lower impact level”
(these criteria consist in thresholds defined in the Guidelines).
A Concerned Entity must perform its assessment against a series of pre-set criteria and associated underlying indicators defined in the Guidelines:
- the transactions affected;
- the payment services users affected;
- the service downtime;
- the economic impact;
- the high level of internal escalation;
- other payment service providers or relevant infrastructures potentially affected; and
- the reputational impact.
4. When should a major operational or security incident be reported?
As has been seen, any major operational or security incident must be reported without delay pursuant to the Payment Services Act 2009.
The Circular 18/704 and the Guidelines clarify that an initial report must be addressed to the CSSF within 4 hours from the first detection of the major incident or immediately after a non-major incident changes status and becomes a major incident (except in case reporting channels are not available or operational at that time, in which case reporting must occur as soon as they become available again).
Afterwards, intermediate reports must be submitted every time the payment service provider deems it relevant and, in any case, by the next update date mentioned in the previous report.
A final report must be addressed to the CSSF within two weeks after business is back to a normal status.
The Guidelines provide guidance about the type of information and level of detail to be included in the various reports.
5. Format and technical requirements for the reporting
Reporting to the CSSF must be done using a CSSF standard form2 and in accordance with applicable technical requirements, as detailed in annex I to the Circular and in the Guidelines.
6. Delegation of reporting obligation
While this possibility is contemplated by the Guidelines, the Circular 18/704 prohibits delegation of the above reporting obligation to a third party.
7. Impact on the internal procedures of the Concerned Entity
Concerned Entities must ensure that they have in place and maintain effective operational and security policies including adequate incident management procedures to comply with the above obligations. In particular, the various responsibilities for the identification, classification and reporting of (major) incidents as well as applicable processes must be precisely defined.
8. Entry into force
The Circular 18/704 is applicable with immediate effect.