Regulation 119 of the Payment Services Regulations 2018 sets out that, where a major operational or security incident occurs, a payment service provider is required to notify the Central Bank without undue delay. The EBA Guidelines on major incident reporting under PSD2, define an operational or security incident as, “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.” The EBA Guidelines set out specific criteria for the classification of an operational or security incident as being a major incident.  Payment service providers are expected to submit major incident reports to the Central Bank within four hours of detection, regardless of whether that incident is detected during out-of-office hours.

The Central Bank requires payment service providers to use the following template when reporting a major incident. The template is made up of three sections that the Central Bank expects the firm to populate until the conclusion of the incident. Please use this guidance document when populating the template.

The template contains further information on how to populate the required fields in the “Instructions” and “Explanatory notes” tabs. The three types of reports are:

• Initial report
  Payment service providers are required send the initial report within four hours of the major operational or security incident being detected. The initial report requires payment service providers to provide basic information on the incident as well as a general description on what has occurred. Payments service providers should complete the initial incident report template in an incremental manner, on a best efforts basis.
• Intermediate report
  Payment service providers are required to send an intermediate report within 72 hours of the initial report as well as when they become aware of significant changes or new information that is relevant to the incident. This report should contain detailed information on the nature and impact of the incident. Payment service providers should continue to send intermediate reports until business as usual activities have resumed.
• Final report
  Payment service providers must send their final report within two weeks of the conclusion of the major incident. The final report should contain detailed information on the root cause, actions taken and any other relevant information.

Regulation 118 of the Payment Services Regulations 2018 requires PSPs to provide to the Central Bank, on an annual basis, an updated and comprehensive assessment of:

• The operational and security risks relating to the payment services provided by the PSP and
• The adequacy of the mitigation measures and control mechanisms implemented in response to those risks

The Central Bank requires payment service providers to use the following template when reporting the operational and security risk assessment.

Guidance on PSD2 Operational and Security Risk Assessment Return

The EBA has published Guidelines which set out the requirements applicable to reporting of Payment Fraud Statistics by PSPs to national competent authorities (NCAs) such as the Central Bank. These guidelines are effective from January 2019.

Please see the statistics section for details on reporting requirements and methods.

All questions on Payment Fraud Statistics Reporting should be addressed to fraudstats@centralbank.ie.

For more information on Payment Fraud Statistics Reporting, see Statistics section.

Regulation 44(3) of the Payment Services Regulations 2018 provides that credit institutions are required to inform the Central Bank without delay when an application for access to their payment account services by a Payment Institution is rejected. Credit Institutions must also provide the Central Bank with duly motivated reasons for any rejection. The Central Bank requires credit institutions to use the following template to report any rejection of access together with duly motivated reasons for any rejection

Regulation 92(9) of the Payment Services Regulations 2018 provides that account servicing payment service providers are required to inform the Central Bank immediately after denying an account information service provider or a payment initiation service provider access to a payment account. The information provided should include the reasons for denying access and other relevant details. The Central Bank requires firms to use the following template to report such denials of access.