EBF advisor: Pascale – Marie BRIEN
Publication date: 7 March 2017
Question 1: Do you consider the definitions in the draft Guidelines to be sufficiently clear?
In order for these definitions to be applied in a consistent way, we would propose to align them as much as possible with definitions already proposed by International bodies such as the ones proposed by the Bank for International Settlement, ENISA or ISO (information security definitions) or clarify them in line with the Rationale as follows:
1. “Major operational or security incident”: we would suggest adding the following terms to the definition proposed: “A major incident must be understood as an incident that reaches any of the four criteria in level 2 or three of more criteria in level 1.”
Equally, the concept of “event” in the definition itself should be clarified as being “occurrence of a particular set of circumstances” (see ENISA definition).
On the definition of major incident itself, we have some reservations on the need to retain events that “may have” a material adverse impact as its rather subjective nature may lead PSPs to report any potential fraud case, defeating the very purpose of reporting. We would therefore propose to delete the reference to events that may have an impact.
Operational incidents are defined in Annex 1 (page 42) and include failures in processes, people and systems impacting payment systems. This definition is very similar to the definition of Operational Risk events according to Basel rules. It would therefore be very useful to clarify the boundaries between operational incidents and security incidents.
2. Under “availability”, we would suggest restricting the definition of payment related services to the ones provided by the PSP.
3. Some confusing interpretation may arise between the definitions proposed for “availability” and for “continuity”. The definition of continuity should be amended as follows: “The property of an organisation being capable of delivering its payment-related services at acceptable predefined levels even if one or more components of the system fail or if it is affected by an abnormal external event. It includes both preventative measures and arrangements to deal with contingencies and delete: after a disruptive incident occurs”.
In order to clarify the definitions even further, we would suggest adding a definition of “crisis mode or equivalent” as used in Table 1 on page 26.
4. We would suggest adding a clear reference to Annex 1 of PSD2 in the definition of “Payment-related services” in order to make sure that the business activity referred to is understood being as the PSP services directly required for the provision of the payment services.
To read the full document click on the icon below