Menu Close


PSD2 – Payment Service Providers – Incident Management Procedures 2022

PSD2 – Incident Management Procedures- EBA Guidelines January 2022

Who do the changes affect?

• payment institutions (PIs), e-money institutions (EMIs) and registered account information service providers (RAISPs)
• credit institutions providing payment services and/or issuing e-money
• retailers
• consumers, consumer groups and micro-enterprises
• credit unions
• those involved in open banking initiatives
• businesses providing payment services under exclusions of the Payment Services Regulations 2017 (PSRs)/ Electronic Money Regulations 2011 (EMRs)

An operational or security incident is defined as, “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.”

What does your firm need to do?


Incidents are assessed against 8 criteria to determine the level of impact of the incident

  1. Number of transactions affected.
  2. Number of service users affected.
  3. Breach of security of network or information systems.
  4. Amount of service downtime.
  5. Degree of economic impact.
  6. The level of internal escalation.
  7. Effects on other providers or systems.
  8. Reputational impact.

Call us today on 0800 689 0190 to help amend your procedures or build your Operational Risk Framework.

Recent Enquiry
Copy code