Regulation 119 of the Payment Services Regulations 2018 sets out that, where a major operational or security incident occurs, a payment service provider is required to notify the Central Bank without undue delay. The EBA Guidelines on major incident reporting under PSD2, define an operational or security incident as, “a singular event or a series of linked events unplanned by the payment service provider which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.” The EBA Guidelines set out specific criteria for the classification of an operational or security incident as being a major incident. Payment service providers are expected to submit major incident reports to the Central Bank within four hours of detection, regardless of whether that incident is detected during out-of-office hours.
The Central Bank requires payment service providers to use the following template when reporting a major incident. The template is made up of three sections that the Central Bank expects the firm to populate until the conclusion of the incident. Please use this guidance document when populating the template.
The template contains further information on how to populate the required fields in the “Instructions” and “Explanatory notes” tabs. The three types of reports are:
- Initial report
Payment service providers are required send the initial report within four hours of the major operational or security incident being detected. The initial report requires payment service providers to provide basic information on the incident as well as a general description on what has occurred. Payments service providers should complete the initial incident report template in an incremental manner, on a best efforts basis.
- Intermediate report
Payment service providers are required to send an intermediate report within 72 hours of the initial report as well as when they become aware of significant changes or new information that is relevant to the incident. This report should contain detailed information on the nature and impact of the incident. Payment service providers should continue to send intermediate reports until business as usual activities have resumed.
- Final report
Payment service providers must send their final report within two weeks of the conclusion of the major incident. The final report should contain detailed information on the root cause, actions taken and any other relevant information.