Regulatory Alerts2021-11-19
Implementation of the revised EBA guidelines on the notification of major incidents under Directive (EU) 2015/2366 (PSD2) (EBA/GL/2021/03)
The Prudential Supervision and Resolution Authority (ACPR) has declared itself compliant with the revised European Banking Authority (EBA) guidelines on major incident notification under PSD2. These guidelines specify the criteria for qualifying operational or security incidents, the reporting formats and procedures for payment service providers, and the use of a unique reference for traceability. The updated version aims to refine classification criteria, simplify reporting models, improve data quality, and ensure harmonized data submission to the ACPR and the Bank of France.
NOTICE Implementation of the revised European Banking Authority guidelines on the notification of major incidents under Directive (EU) 2015/2366 (PSD2) (EBA/GL/2021/03)
The Prudential Supervision and Resolution Authority (ACPR) has declared itself compliant with the revised guidelines of the European Banking Authority (EBA/GL/2021/03) on the notification of major incidents under Directive (EU) 2015/2366 (PSD2).
The Prudential Supervision and Resolution Authority had already declared itself compliant with these guidelines in their first version (EBA/GL/2017/10).
These guidelines specify, in particular, the criteria for qualifying operational or security incidents by payment service providers, as well as the format and procedures that these providers must apply to notify these incidents to the Prudential Supervision and Resolution Authority and to the Bank of France, in application of the provisions of Article L. 521-10 of the Monetary and Financial Code.
This new version of the guidelines aims primarily to refine the criteria for classification as a major incident in order to inform authorities more relevantly, improve the notification system by notably modifying the report templates to simplify data entry by payment service providers, improve the quality of received reports and receive more harmonized data, and define the use of a unique reference assigned by the supervisory authority for each incident to ensure its traceability throughout its lifecycle.
These guidelines are applicable to payment service providers - credit institutions, payment institutions, and electronic money institutions - who must do everything in their power to comply with them, in accordance with the provisions of Article 16 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority).
Incident notifications prepared using the model provided in the annex to the guidelines must be sent to the Prudential Supervision and Resolution Authority and the Bank of France using the operating procedure available on the websites of both authorities.