The CSSF has adopted on December 17th 2018 the guidelines of the European Banking Authority on the notification of major operational or security incidents (EBA/GL/2017/10) (the “EBA Guidelines”). CSSF Circular 18/704 (the “CSSF Circular”) adopting the EBA Guidelines (attached as its Annex 1) is applicable immediately upon issue. The EBA Guidelines provide the criteria, thresholds and methodology to be used by payment service providers (the “PSP”) as well as contain templates to be used by the PSP in its reporting of “major operational or security incidents” to the national authorities. Adoption of the EBA Guidelines by the Luxembourg regulator is an important step in the transposition of Directive (EU) 2015/2366 on payment services (“PSD2”) into the Luxembourg regulatory regime on payment services after the law of July 25th 2018 transposed PSD2 by amending the Luxembourg law of November 10th 2009 on payment services (the “PSL”).
We refer you to our January 2018 Newsletter where we discussed the transposition of PSD2 in Luxembourg and related guidelines of the EBA on the information to be provided by the payment institutions to the competent national authorities.
Not only has the Luxembourg regulator formally adopted the EBA Guidelines in Luxembourg but also provided further details in respect of the reporting obligation under Article 105-2 paragraph 1 of the PSL which provides that “payment service providers shall report major operational or security incidents to the CSSF without undue delay”.
The CSSF confirms the scope of the obligation to report a “major operational or security incident” by stating that it shall extend to both external and internal events that could be either malicious or accidental. The CSSF Circular further provides the relevant deadlines for each type of the report to be submitted by the PSP to the CSSF. For instance, once a PSP detects a “major operational or security incident”, it has a maximum of 4 hours to report it to the CSSF in the form of an “initial report”. Furthermore, if there is any relevant status update after the “initial report” has been submitted to the CSSF, the PSP should also report it to the CSSF in the form of an “intermediate report”. The PSP also needs to submit its “final report” within a maximum of 2 weeks after business is deemed back to normal. Finally, although such possibility is not excluded under the EBA Guidelines, the CSSF confirms that no delegation of the reporting obligation of the PSP can be made to any third party.