PSD2 - Reporting Requirements

Directive 2015/2366/EU on payment services (or “PSD2”) was transposed into Irish law, with effect from 13 January 2018, by the European Union (Payment Services) Regulations, 2018 (S.I. No.6 of 2018, hereafter referred to as the Payment Services Regulations 2018). The Payment Services Regulations 2018 place a number of reporting requirements on payment service providers (PSPs) and the expectations of the Central Bank of Ireland in terms of PSPs meeting. These requirements are set out below.

Major Incident Reporting

PSD2 - Reporting Requirements

Directive 2015/2366/EU on payment services (PSD2) was transposed into Irish law, with effect from 13 January 2018, by the European Union (Payment Services) Regulations, 2018 (S.I. No.6 of 2018, hereafter referred to as the Payment Services Regulations 2018). The Payment Services Regulations 2018 place a number of reporting requirements on payment service providers (PSPs). The expectations of the Central Bank in terms of PSPs meeting these requirements are set out below.

Major Incident Reporting

Regulation 119 of the Payment Services Regulations 2018 provides that, where a major operational or security incident occurs, a PSP is required to notify the Central Bank without undue delay. The EBA Revised Guidelines on major incident reporting under PSD2, define an operational or security incident as, “a singular event or a series of linked events unplanned by the payment service provider which has or will likely have an adverse impact on the integrity, availability, confidentiality, and/or authenticity of payment-related services.” The EBA Revised Guidelines set out specific criteria for the classification of an operational or security incident as being a major incident, and provide that PSPs should submit an initial report of a major incident to the Central Bank within four hours from the moment the incident has been classified as major. The incident classification exercise should be completed in a timely manner after the incident has been detected, but no later than 24 hours after detection.

Reports should be submitted through the Central Bank of Ireland Portal channel, which is available to receive reports at all times, i.e., both during and outside of business hours.

Central Bank expectations where a PSP has not classified an incident within four hours of detection

If a PSP has not completed the incident classification exercise within 4 hours of detection of the incident, the Central Bank expects the PSP to notify its supervisory team in the Central Bank, using phone or email channels, that an incident has occurred and is under review.

If it transpires that the incident is not major, the PSP should promptly (and no later than 24 hours after the detection of the incident) inform its supervisory team, via phone or email.

Reporting template

The Central Bank requires PSPs to use this template when reporting a major incident. The template consists of three sections that the Central Bank expects PSPs to populate until the conclusion of the incident. Please use this guidance document when populating the template.

The template contains further information on how to populate the required fields in the “Instructions” and “Explanatory notes” tabs. The three types of reports are:

Initial report

PSPs are required to submit the initial report within four hours from the moment the incident has been classified as major. The initial report requires PSPs to provide basic information on the incident as well as a general description on what has occurred. PSPs should complete the initial incident report template on a best effort's basis.

Intermediate report

PSPs are required to submit an intermediate report within three working days from the submission of the initial report, unless regular activities have been recovered and business is back to normal sooner, in which case an intermediate report should be submitted at that point. PSPs should also submit an intermediate report when they become aware of significant changes since the submission of the previous report. The intermediate report should contain detailed information on the incident and its consequences. If the incident is not resolved within three working days, PSPs should continue to send intermediate reports when there is a significant change from the previous report until business as usual activities have resumed.

Final report

PSPs must submit their final report within a maximum of 20 working days after business is deemed back to normal. The final report should contain detailed information on the root cause, and actual figures on the impact of the incident to replace any potential estimates.

Operational and Security Risk Reporting

Regulation 118 of the Payment Services Regulations 2018 requires PSPs to provide to the Central Bank, on an annual basis, an updated and comprehensive assessment of:

The operational and security risks relating to the payment services provided by the PSP and
The adequacy of the mitigation measures and control mechanisms implemented in response to those risks

The Central Bank requires payment service providers to use the following template when reporting the operational and security risk assessment.

Guidance on PSD2 Operational and Security Risk Assessment Return

Payment Fraud Statistics Reporting

The EBA has published Guidelines which set out the requirements applicable to reporting of Payment Fraud Statistics by PSPs to national competent authorities (NCAs) such as the Central Bank. These guidelines are effective from January 2019.

To alleviate the reporting burden for both PSPs and NCAs/NCBs under the PSD2 and the amended ECB Payments Statistics Regulation a streamlined approach to jointly reporting both sets of data is in place.

For more information and detailed reporting requirements on Payment Fraud Statistics Reporting, please see the Statistics section of the Central Bank website.

All questions on Payment Fraud Statistics Reporting should be addressed to [email protected].

Denial of Service Reporting

Regulation 44(3) of the Payment Services Regulations 2018 provides that credit institutions are required to inform the Central Bank without delay when an application for access to their payment account services by a Payment Institution is rejected. Credit Institutions must also provide the Central Bank with duly motivated reasons for any rejection. The Central Bank requires credit institutions to use the following template to report any rejection of access together with duly motivated reasons for any rejection

Regulation 92(9) of the Payment Services Regulations 2018 provides that account servicing payment service providers are required to inform the Central Bank immediately after denying an account information service provider or a payment initiation service provider access to a payment account. The information provided should include the reasons for denying access and other relevant details. The Central Bank requires firms to use the following template to report such denials of access.

How to submit a report

Reports can be submitted via the Central Bank of Ireland Portal.

Further information in relation to the is available at Central Bank of Ireland Portal. Detailed user guides are available for Article 36, Article 68 and Major Incident Reports.

The Central Bank expects firms to contact their respective supervisor in addition to submitting the initial report.

Firms to whom these reporting obligations apply and who don't currently have access to the Portal must communicate this to their supervisor.

Industry Market Sectors

More information on specific industry sectors can be found by clicking on the relevant sector

Further Information:

PSD2 - Frequently Asked Questions
Consumer Protection Codes and Regulations
The European Supervisory Authorities Technical Standards and Guidelines page
Firms seeking information on making a notification in relation to either the Limited Network Exclusion or the Electronic Communications Exclusion should refer to the Excluded Firm Notifications section on the payment institutions introductory page.