PSD2 – Incident Management Procedures- EBA Guidelines January 2022
Who do the changes affect?
• payment institutions (PIs), e-money institutions (EMIs) and registered account information service providers (RAISPs)
• credit institutions providing payment services and/or issuing e-money
• retailers
• consumers, consumer groups and micro-enterprises
• credit unions
• those involved in open banking initiatives
• businesses providing payment services under exclusions of the Payment Services Regulations 2017 (PSRs)/ Electronic Money Regulations 2011 (EMRs)
An operational or security incident is defined as, “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.”
What does your firm need to do?
- IDENTIFY
- APPOINT
- CLASSIFY
- REPORT
Incidents are assessed against 8 criteria to determine the level of impact of the incident
- Number of transactions affected.
- Number of service users affected.
- Breach of security of network or information systems.
- Amount of service downtime.
- Degree of economic impact.
- The level of internal escalation.
- Effects on other providers or systems.
- Reputational impact.