Eba guidelines on reporting obligations under the PSD 2 in Luxembourg

The CSSF has adopted on December 17th 2018 the guidelines of the European Banking Authority on the notification of major operational or security incidents (EBA/GL/2017/10) (the “EBA Guidelines”). CSSF Circular 18/704 (the “CSSF Circular”) adopting the EBA Guidelines (attached as its Annex 1) is applicable immediately upon issue. The EBA Guidelines provide the criteria, thresholds and methodology to be used by payment service providers (the “PSP”) as well as contain templates to be used by the PSP in its reporting of “major operational or security incidents” to the national authorities. Adoption of the EBA Guidelines by the Luxembourg regulator is an important step in the transposition of Directive (EU) 2015/2366 on payment services (“PSD2”) into the Luxembourg regulatory regime on payment services after the law of July 25th 2018 transposed PSD2 by amending the Luxembourg law of November 10th 2009 on payment services (the “PSL”).

We refer you to our January 2018 Newsletter where we discussed the transposition of PSD2 in Luxembourg and related guidelines of the EBA on the information to be provided by the payment institutions to the competent national authorities.

Not only has the Luxembourg regulator formally adopted the EBA Guidelines in Luxembourg but also provided further details in respect of the reporting obligation under Article 105-2 paragraph 1 of the PSL which provides that “payment service providers shall report major operational or security incidents to the CSSF without undue delay”.

The CSSF confirms the scope of the obligation to report a “major operational or security incident” by stating that it shall extend to both external and internal events that could be either malicious or accidental. The CSSF Circular further provides the relevant deadlines for each type of the report to be submitted by the PSP to the CSSF. For instance, once a PSP detects a “major operational or security incident”, it has a maximum of 4 hours to report it to the CSSF in the form of an “initial report”. Furthermore, if there is any relevant status update after the “initial report” has been submitted to the CSSF, the PSP should also report it to the CSSF in the form of an “intermediate report”. The PSP also needs to submit its “final report” within a maximum of 2 weeks after business is deemed back to normal. Finally, although such possibility is not excluded under the EBA Guidelines, the CSSF confirms that no delegation of the reporting obligation of the PSP can be made to any third party.

Related : Bonn Steichen & Partners

[+ http://www.bsp.lu]

All articles Banking law

Lastest articles Banking law

Luxembourg Banking & Finance Comparative Guide

NautaDutilh Avocats Luxembourg is an exclusive contributor to The Legal 500 Banking & Finance 2nd Editi...

Read more

Circular CSSF 19/714: Application of the Cloud Circular to investment fund managers

On 27 March 2019, the CSSF issued a new Circular 19/714 (the “Circular”) in order to update its guidelines on ...

Read more

Two new Brexit laws for the Luxembourg financial sector

In anticipation of the United Kingdom leaving the European Union (or simply “Brexit” as it is more commonly re...

Read more

Subscription Finance Cayman Islands - Luxembourg Analysis

The Cayman Islands and Luxembourg are two of the world’s leading investment funds jurisdictions. As fund structures ...

Read more

LexGO Network