Operational resilience within the financial services sector has been in the spotlight around the world. In that context, cyber security and resilience feature prominently in regulators’ concerns. During 2020 the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority (FCA) have issued Consultation Papers (for example, see the FCA’s Consultation Paper "Building operational resilience"). Now the European Banking Authority (EBA) has launched a public Consultation Paper on revisions to its guidelines to payment service providers (PSPs).
Currently PSPs are required under the Payment Services Directive (PSD2) to report to the EBA major operational and security incidents. Having assessed the incident reports received in 2018 and 2019, the EBA has identified that the current guidelines specifying when such reports need to be made would benefit from changes to update:
- the incident reporting process;
- the content of the incident reports; and
- the thresholds and requirements for when notifications must be made.
Whilst aiming to decrease the reporting burden on PSPs, the revised guidelines look to ensure that the information provided by PSPs in the reports is relevant and meaningful, giving greater purpose to the reporting process. The Consultation Paper also proposes increasing the financial threshold for when notifications must be made from €5m to €15m (the amount being the total value of transactions affected by the relevant incident).
The EBA consultation comes at a time when, in the context of network and information systems cyber security and resilience, the EU is considering lowering the threshold for mandatory reporting under the 2016 NIS directive for cyber breaches (the European Commission includes banking and financial market infrastructures within the bloc-wide rules stemming from this directive, but not payments systems and, apparently, not payment services and PSPs). The European Commission has noted the relatively small number of cyber breach reports that have been made since the NIS directive came into effect in 2018 and so is looking to broaden the scope for reporting cyber security incidents. In the areas of banking and financial market infrastructures covered by the NIS directive, this has the potential to create an interesting comparison with the EBA guidelines. It seems to be a case of too many cyber security incident reports being made by PSPs and too few from those organisations covered by the NIS directive.
It is not clear how (if at all) either of the above proposed changes in approach from the EBA and European Commission will affect UK PSPs once the Brexit transition period comes to an end, in particular whether the FCA will take the updated PSD2 guidelines into account in its own updates on operational resilience. However, the FCA has already stated that all credit institutions, investment firms and PSPs must comply with the current EBA outsourcing guidelines and there will no doubt be a desire (at least operationally as the operational resilience updates apply to PSPs) for there to be some level of harmony between the UK and any updated EU guidelines in this area. The FCA consultation closed on 1 October 2020 and the EBA consultation is open until 14 December 2020, meaning that it is likely both regulators will publish their findings next year. The updates to the NIS directive may be published later this year in the European Commission’s attempt to create an updated EU-wide standard in this area. As with much arising from Brexit, we will need to wait and see how this will play out for UK organisations, but it is clear that operational resilience will continue to be in the spotlight in 2021.
The proposal aims at optimising and simplifying the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents that will be reported, and improving the meaningfulness of the incident reports received.