PSD2 - Reporting Requirements

Directive 2015/2366/EU on payment services (or “PSD2”) was transposed into Irish law, with effect from 13 January 2018, by the European Union (Payment Services) Regulations, 2018 (S.I. No.6 of 2018, hereafter referred to as the Payment Services Regulations 2018). The Payment Services Regulations 2018 place a number of reporting requirements on payment service providers (PSPs) and the expectations of the Central Bank of Ireland in terms of PSPs meeting. These requirements are set out below.

Major Incident Reporting

Regulation 119 of the Payment Services Regulations 2018 sets out that, where a major operational or security incident occurs, a payment service provider is required to notify the Central Bank without undue delay. The EBA Guidelines on major incident reporting under PSD2, define an operational or security incident as, “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.” The EBA Guidelines set out specific criteria for the classification of an operational or security incident as being a major incident. Payment service providers are expected to submit major incident reports to the Central Bank within four hours of detection, regardless of whether that incident is detected during out-of-office hours.

The Central Bank requires payment service providers to use the following template when reporting a major incident. The template is made up of three sections that the Central Bank expects the firm to populate until the conclusion of the incident. Please use this guidance document when populating the template.

The template contains further information on how to populate the required fields in the “Instructions” and “Explanatory notes” tabs. The three types of reports are:

Initial report
Payment service providers are required send the initial report within four hours of the major operational or security incident being detected. The initial report requires payment service providers to provide basic information on the incident as well as a general description on what has occurred. Payments service providers should complete the initial incident report template in an incremental manner, on a best efforts basis.
Intermediate report
Payment service providers are required to send an intermediate report within 72 hours of the initial report as well as when they become aware of significant changes or new information that is relevant to the incident. This report should contain detailed information on the nature and impact of the incident. Payment service providers should continue to send intermediate reports until business as usual activities have resumed.
Final report
Payment service providers must send their final report within two weeks of the conclusion of the major incident. The final report should contain detailed information on the root cause, actions taken and any other relevant information.

Operational and Security Risk Reporting

Regulation 118 of the Payment Services Regulations 2018 requires PSPs to provide to the Central Bank, on an annual basis, an updated and comprehensive assessment of:

The operational and security risks relating to the payment services provided by the PSP and
The adequacy of the mitigation measures and control mechanisms implemented in response to those risks

The Central Bank requires payment service providers to use the following template when reporting the operational and security risk assessment.

Guidance on PSD2 Operational and Security Risk Assessment Return

Payment Fraud Statistics Reporting

The EBA has published Guidelines which set out the requirements applicable to reporting of Payment Fraud Statistics by PSPs to national competent authorities (NCAs) such as the Central Bank. These guidelines are effective from January 2019.

Please see the statistics section for details on reporting requirements and methods.

All questions on Payment Fraud Statistics Reporting should be addressed to fraudstats@centralbank.ie.

For more information on Payment Fraud Statistics Reporting, see Statistics section.

Denial of Service Reporting

Regulation 44(3) of the Payment Services Regulations 2018 provides that credit institutions are required to inform the Central Bank without delay when an application for access to their payment account services by a Payment Institution is rejected. Credit Institutions must also provide the Central Bank with duly motivated reasons for any rejection. The Central Bank requires credit institutions to use the following template to report any rejection of access together with duly motivated reasons for any rejection

Regulation 92(9) of the Payment Services Regulations 2018 provides that account servicing payment service providers are required to inform the Central Bank immediately after denying an account information service provider or a payment initiation service provider access to a payment account. The information provided should include the reasons for denying access and other relevant details. The Central Bank requires firms to use the following template to report such denials of access.

How to submit a report

Reports can be submitted via the Central Bank’s Online Reporting System ("ONR").

Further information in relation to the online reporting process is available at Introduction to the Online Reporting Process. Detailed user guides are available for Article 36, Article 68 and Major Incident Reports.

The Central Bank expects firms to contact their respective supervisor in addition to submitting the initial report.

Firms to whom these reporting obligations apply and who don't currently have access to the Central Bank's ONR must communicate this to their supervisor.

Industry Market Sectors

More information on specific industry sectors can be found by clicking on the relevant sector

Further Information:

PSD2 - Frequently Asked Questions
Consumer Protection Codes and Regulations
The European Supervisory Authorities Technical Standards and Guidelines page
Firms seeking information on making a notification in relation to either the Limited Network Exclusion or the Electronic Communications Exclusion should refer to the Excluded Firm Notifications section on the payment institutions introductory page.