Eba guidelines on reporting obligations under the PSD 2 in Luxembourg

The CSSF has adopted on December 17th 2018 the guidelines of the European Banking Authority on the notification of major operational or security incidents (EBA/GL/2017/10) (the “EBA Guidelines”). CSSF Circular 18/704 (the “CSSF Circular”) adopting the EBA Guidelines (attached as its Annex 1) is applicable immediately upon issue. The EBA Guidelines provide the criteria, thresholds and methodology to be used by payment service providers (the “PSP”) as well as contain templates to be used by the PSP in its reporting of “major operational or security incidents” to the national authorities. Adoption of the EBA Guidelines by the Luxembourg regulator is an important step in the transposition of Directive (EU) 2015/2366 on payment services (“PSD2”) into the Luxembourg regulatory regime on payment services after the law of July 25th 2018 transposed PSD2 by amending the Luxembourg law of November 10th 2009 on payment services (the “PSL”).

We refer you to our January 2018 Newsletter where we discussed the transposition of PSD2 in Luxembourg and related guidelines of the EBA on the information to be provided by the payment institutions to the competent national authorities.

Not only has the Luxembourg regulator formally adopted the EBA Guidelines in Luxembourg but also provided further details in respect of the reporting obligation under Article 105-2 paragraph 1 of the PSL which provides that “payment service providers shall report major operational or security incidents to the CSSF without undue delay”.

The CSSF confirms the scope of the obligation to report a “major operational or security incident” by stating that it shall extend to both external and internal events that could be either malicious or accidental. The CSSF Circular further provides the relevant deadlines for each type of the report to be submitted by the PSP to the CSSF. For instance, once a PSP detects a “major operational or security incident”, it has a maximum of 4 hours to report it to the CSSF in the form of an “initial report”. Furthermore, if there is any relevant status update after the “initial report” has been submitted to the CSSF, the PSP should also report it to the CSSF in the form of an “intermediate report”. The PSP also needs to submit its “final report” within a maximum of 2 weeks after business is deemed back to normal. Finally, although such possibility is not excluded under the EBA Guidelines, the CSSF confirms that no delegation of the reporting obligation of the PSP can be made to any third party.

Related : Bonn Steichen & Partners

[+ http://www.bsp.lu]

All articles Banking law

Lastest articles Banking law

Transitional measures for the Luxembourg financial sector in relation to a hard Brexit The Bill o...

?On 31 January 2019, the Ministry of Finance has submitted a bill of law to the Luxembourg Parliament (the Bill 7401)...

Read more

The Luxembourg Register of Beneficial Owners

On 15 January 2019, the law establishing a Luxembourg register of beneficial owners (the "REBECO Act"), transpos...

Read more

The Grand Duchy of Luxembourg implements the Register of Beneficial Owners Law

The Grand Duchy of Luxembourg has fulfilled its European obligations in the fight against money laundering and the financi...

Read more

The Luxembourg Register of Beneficial Owners goes live on 1 March 2019

The Luxembourg law creating a register of beneficial owners transposing article 30 of Directive 2015/849 was adopted on 13...

Read more

LexGO Network