The technical glitch that left thousands of customers of high profile fintech start-ups without access to their money last month should act as a major wake up call to payment services providers across the UK.
While the payment companies involved kept their customers updated, from January those experiencing such major outages will also have to communicate promptly, regularly and in depth with their regulator. Under PSD2 (the second Payment Services Directive) payment service providers must assess whether an incident is major and, if it is, must provide the initial report to the FCA within two hours, followed by a series of other reports until good service has resumed.
What type of incidents must be reported?
Payment and e-money institutions are already obliged to report to the FCA any significant changes to their business that impact on their ability to meet the conditions of authorisation and there is an expectation that they maintain an open and honest relationship with their regulator. PSD2 formalises this requirement in respect of major operational and security risks.
The European Banking Authority’s draft guidelines set out the kind of incidents of interest as those:
- that involve the disruption of payment services;
- that concern the loss of data; and
- where the integrity or authenticity of the service is compromised.
Such operational or security incidents then have to be evaluated against a set of criteria to determine whether they are deemed ‘major’ and therefore have to be reported.
Which incidents are classed as major?
Understanding and identifying when a major situation arises is a critical factor. PSD2 outlines a number of identifiers to provide guidance to businesses that fall within the regulation. An incident will be classed as major if it meets certain thresholds relating to:
- the number of transactions affected (in proportion to what is normal for the payment service provider);
- the number and proportion of clients affected;
- whether the service has, or will, be down for more than two hours;
- whether the incident is significant enough that it should be escalated to senior executives and/or the chief information officer;
- whether the incident is likely to have a knock-on effect on other payment service providers; and
- whether there will be a negative reputational impact from traditional or social media interest because, for example, client information has been leaked or was stolen or this type of incident has occurred before.
Initial, intermediate and final reports
So what should you do if the outcome of the assessment is that the incident is major? As a priority the payment service provider must make an initial report to the FCA within two hours of detection. In cases where an incident might be initially classed as non-major but subsequently become re-classified as major, the initial report must be made immediately that the change in status has been identified.
Intermediate reports must then be submitted to the FCA every time the situation becomes significantly better or worse, new causes of the problem are identified or new action is taken to fix the issues.
At the very least, payment service providers have to report every three business days until they have undertaken the root cause analysis and actual figures are available to replace any estimates previously provided. The final report should be delivered within two weeks of the service having returned to normal.
Can a third party report on my behalf?
Given that in a crisis situation resources are likely to be constrained, the European Banking Authority will allow third parties to report on behalf of the payment service provider or, on behalf of multiple payment service providers if, as in the case of the recent payment card outage, one provider impacts others. These arrangements have to be notified to the FCA in advance and it must be clear that while the reporting can be outsourced, the obligation to report isn’t outsourced and the payment service provider remains liable for full and complete reporting.
The consultation on the draft guidelines has only just closed and we expect the final version to be available in the summer. One thing is clear though – crisis handling under PSD2 is going to create a significant administrative burden. With this in mind, payment service providers should assess whether their current incident procedures will be fit for purpose and begin making any necessary amendments. Payment and e-money institutions will have to provide their reporting procedure to the FCA as part of the additional information required to transition into the new regime by July 2018.
For more information on how PSD2 will impact your business, join us at our free briefing event on PSD2 and 4MLD.