Payment service providers’ reporting obligations in the event of security incidents
Payment service providers must inform the German Federal Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”) without undue delay of any serious operational or security incidents, according to section 54(1) sentence 1 Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz, “ZAG”). On 10 March 2022, BaFin issued its circular 03/2022 (BA) (“Circular”), firstly specifying when an operational or security incident should be classified as “serious” thus requiring reporting; and secondly, amending the details of the requirements for the reporting process. As of 1 October 2022, the Circular will replace circular 08/2018 (BA) of 7 June 2018 on reporting serious payment security incidents.
The reporting obligation in section 54(1) sentence 1 ZAG is intended to ensure that BaFin and also the European supervisory authorities (due to the German supervisory authority’s reporting obligation to the EBA and the European Central Bank in section 54(1) sentence 2 ZAG) are informed about any circumstances affecting payment transactions within the remit of payment service providers and can take any necessary steps against the institutions. Thus, there is a specific supervisory reporting obligation for security incidents on top of the more general legal reporting obligations for security incidents in data protection law (Article 33 GDPR) or in the law on critical infrastructure (section 8b(4) of the German Act on the Federal Office for IT Security) which complements the notification obligation particularly addressing incidents in outsourcing relationships (section 24 (1) no. 19 of the German Banking Act). Given the increasing significance of cyberattacks, ensuring compliance with these reporting obligations as well as, of course, measures to avoid security incidents in principle, is an important element of proper business organisation.
With the amendment of the Circular, BaFin is responding to the adaptation of the guidelines from the European Banking Authority (EBA) on reporting major incident cases under the Payment Services Directive (EBA/GL/2017/10) last year. The amendment revises the criteria for classification as a serious security incident, streamlines the reporting process and specifies some requirements, especially on the expected timing of reports. In addition, the forms to be used for submitting reports have been revised.
Addition and amendment of the classification criteria for “serious” incidents
The criteria for qualifying operational and safety incidents as serious have basically remained unchanged. In line with the previous requirements, the Circular defines various criteria and thresholds for assessing whether an operational or safety incident has occurred. The following are particularly relevant: (i) the payment transactions affected, (ii) the payment service users affected, (iii) the security breach in network and information systems, (iv) the downtime of a service, (v) the financial impact, (vi) a high internal escalation level, (vii) the impact on other payment service providers or relevant infrastructure; and (viii) any reputational damage.
Out of the above criteria, only one is new, namely the assessment criterion “security breach in network and information systems” (point 1.2 (iii)). According to this criterion, a payment service provider must determine whether the availability, authenticity, integrity or confidentiality of its network or information systems (including the relevant data) associated with the provision of payment services has been breached by a malicious act.
For each criterion, the Circular defines whether and under what conditions it is affected at a high or low impact level. According to this, an operational or safety incident is “serious” and thus needs to be reported if, on the basis of the criteria and thresholds described in the Circular, it
- meets at least one criterion of the “high impact level” or
- meets at least three criteria of the “low impact level”.
The Circular now clearly states that all operational and security incidents must be assessed and classified as either serious or non-serious. Therefore, payment institutions must assess every incident according to the requirements of the Circular and cannot limit themselves to considering only (allegedly) serious cases. Payment service providers should also document this assessment with auditable documentation.
For the institutions concerned, the Circular contains some clarifications. For example, with regard to the criteria of “payment transactions affected” (No. 1.2 (i)) and “payment service users affected” (No. 1.2 (ii)), it is clarified that incidents affecting the ability of a payment service provider to initiate and/or process transactions are generally only to be reported if the incidents last longer than one hour. However, this restriction will not apply if the thresholds of the high impact level are exceeded.
For the criterion of “payment transactions affected”, the relevant thresholds for determining the impact level are raised in each case. Thus, in addition to the incident lasting over an hour, an incident at a low impact level requires that either (i) more than 10% of the payment service provider’s usual transaction volume (in this respect the same as the requirements of circular 08/2018 (BA)) or (ii) a transaction amount of €500,000 (previously the relevant threshold was €100,000) is exceeded. In the case of a high impact level incident, either 25% of the payment service provider’s usual transaction volume is affected (in this respect equal to the requirements of circular 08/2018 (BA)) or the total amount of the affected payment transactions exceeds €15 million (previously, the relevant threshold was €5 million).
With regard to the criterion of a “high internal escalation level” (No. 1.2 (vi)), the Circular states this is only present if due to the impairment of payment-related services the management has been informed or is likely to be informed about the incident outside the regular reporting procedure and continuously during the duration of the incident. Under circular 08/2018 (BA), it was still sufficient to involve the Chief Information Officer.
With regard to the criterion of “reputational damage” (No. 1.2 (vii)), the assessment by the payment service provider must now also take into account whether (i) payment service users and/or other payment service providers have complained about the adverse effects of an incident and (ii) contractual obligations have not been fulfilled or are unlikely to be fulfilled as a result of the incident. Furthermore, the assessment of the visibility that an incident acquires or is likely to acquire in the market will no longer depend solely on the knowledge but on the "best knowledge" of a payment institution. This is likely to be accompanied by an obligation to proactively obtain such knowledge where appropriate.
Probability of an incident having negative effects
It is also notable that the Circular modifies the probability required to identify an “operational and security incident”. If there are not yet urgent, but imminent adverse effects of an incident on the integrity, availability, confidentiality and/or authenticity of payment-related services, an incident “in all likelihood” is no longer required, as was the case according to circular 08/2018 (BA); instead, it is sufficient for corresponding future consequences to be simply “likely”. In parallel, the wording "extremely likely" was replaced by “likely” for the individual classification criteria (e.g. regarding the payment transactions affected, the payment service users affected, the service downtime, the high escalation level, the impact on other payment service providers or relevant infrastructures and any reputational damage) with regard to the future impact of an incident. This means a stricter standard will be applied in future, when the simple probability of negative consequences of an incident will be sufficient to classify it as a serious operational or security incident.
Revision of the reporting process
The process for reporting in accordance with section 54(1) sentence 1 ZAG has also been revised. In principle, however, the reporting process still has three different stages, namely an initial report, one or more interim reports and a final report.
With regard to the initial reports, new terminology is used for the triggering of the submission of the initial report. Whereas previously, according to circular 08/2018 (BA), the initial report had to be submitted within four hours of “identification” of a serious operational and/or safety incident, with identification being an equivalent term to classification as serious, a conceptual distinction is now made between identification on the one hand and classification on the other, with “classification” being decisive for the start of the four-hour period for submitting the initial report (No. 2.8). This conceptual differentiation can only be interpreted such that the “identification” of an incident refers to the knowledge of the relevant factual circumstances, while “classification” includes assessing them as serious or non-serious within the meaning of section 54(1) sentence 1 ZAG. In addition, there is a specific obligation for the payment service provider to carry out the classification promptly. This must be done no later than 24 hours after the incident has been identified and immediately after the information required for classifying the incident is available (No. 2.9).
A positive factor is the new structure of the previously fragmented system of interim reports. Now, interim reports only have to be submitted if:
- the activities/processes achieve the same level of performance/conditions again in terms of processing times, capacity, security requirements, etc., set by the payment service provider or externally specified by a service level agreement and no contingency measures are in place anymore (No. 2.12);
- regular business activities have not yet been resumed after three business days (No. 2.13);
- significant changes in information have occurred since previous reports (e.g. if the incident is worse or become less serious, new causes have been identified or action has been taken to correct the problem) (No. 2.14); and/or
- at the request of BaFin (No. 2.14).
The final notification must now be made within 20 business days of regular operations being resumed, instead of within two weeks as before (No. 2.18).
Other additional obligations of payment service providers
In addition, payment service providers are now obliged to report any reclassification of an incident from serious to non-serious or vice versa to BaFin without undue delay (No. 1.5). Previously, BaFin had to be informed about the reclassification as soon as possible and no later than the estimated date of the next (interim) report (No. 2.10 of circular 08/2018 (BA)).
Where the reporting obligation is delegated by a payment service provider to a third party and that third party is allowed to submit the report in a consolidated form (i.e. by submitting a single report referring to several payment service providers affected by the same serious operational or security incident), the payment service provider must also ensure a list of the payment service providers involved is submitted to BaFin (No. 3.2 (d)).
Furthermore, in the case of a delegated reporting obligation, payment service providers must ensure in future that the delegated report refers to the individual data of the relevant payment service provider in the event of an incident caused by a technical service provider (or technical infrastructure) which affects several payment service providers (No. 3.6). The only exception is if it is a consolidated report that relates to several payment service providers.
Timetable and implementation
The provisions in the Circular for reporting serious security incidents pursuant to section 54(1) sentence 1 ZAG will apply from 1 October 2022. Until then, BaFin’s administrative practice will be based on circular 08/2018 (BA), which will be repealed when the amended Circular comes into force.
Conclusion
The amendment of the rules for reporting serious operational or security incidents according to section 54(1) sentence 1 ZAG is a reaction to the increasing risks of cyberattacks and is therefore welcome in principle. For example, it makes sense for the criterion of a “security breach in network or information systems” to be included in the criteria for incidents to be reported. Of course, this would appear to lead to more reports just as much as the lowering of the probability threshold to be reached for incidents to be reported. On the other hand, the exclusion of incidents (with a low impact level) that are resolved within one hour, assuming suitable organisation of the internal processes at payment service providers for rapid fault resolution, should instead lead to a reduction in the number of relevant incidents to be reported. Obviously, this does not affect the obligation to review the incident internally to see if it needs to be reported. Streamlining the procedure for interim reports is ultimately a welcome simplification. All in all, the amendment is certainly not a “smash hit”. But this was not to be expected in view of the clear changes to the EBA guidelines on reporting major incident cases under the Payment Services Directive. In this respect, the practical relevance is likely to be that the amendment once again focuses the attention of payment service providers on IT security and the reporting processes for security incidents as a key component of a proper compliance system.