Bank of Italy implemented EBA Guidelines on major incident reporting and EBA Guidelines on the security measures for operational and security risks of payment services.

On January 9th, 2019 Bank of Italy launched a consultation to amend Circular 285/2013 (Supervisory Instructions for Banks) in order to fully implement:

  • The EBA Guidelines on reporting of serious incidents of December 19th, 2018 and EBA Guidelines on security measures concerning operational and security risks of payment services of January 12th, 2018;
  • The EBA Guidelines on the conditions to be met to benefit from an exemption from contingency mechanism under Article 33 (6) Regulation (EU) 2018/389 (RTS on SCA & CSC); and
  • The EBA Recommendations on outsourcing and provision of cloud service providers of March 28th, 2018.

Responses to this consultation can be sent to Bank of Italy by following instructions on the consultation page of the Bank of Italy's website. Please note that the deadline for the submission of comments is February 7th, 2019.

Guidelines on security measures concerning operational and security risks of payment services

As far as major incident reporting is concerned, the consultation paper provides that banks would be required to submit a communication directly to the Bank of Italy. In this way, banks will be required to improve the measures already adopted and make their board more aware of the risks.

In addition, the consultation does not provide for Italy to opt for delegation of reporting obligations to a third party, including communications in aggregated form.

The Bank of Italy will publish on its website updated forms to be used for reporting purposes together with the relevant instructions in order to facilitate the collection and representation of the required information. In sum, the Bank of Italy has opted for a unified notification procedure regardless of the type of incident occurred concerning either payment services or other areas of activity.

For payment institutions and e-money institutions, the implementation of the above mentioned EBA Guidelines is being carried out separately.

Guidelines on the conditions to be met to benefit from an exemption from contingency mechanism

According to the RTS on SCA and CSC, by September 14th, 2019 Account Servicing Payment Service Providers (ASPSPs) that offer to a payer a payment account that is accessible online are required to provide to account information service providers (AISPs), payment initiation service providers (PISPs) and payment service providers issuing card-based payment instruments (CISPs) at least one interface in order to access payments accounts and to identify themselves towards the ASPSP.

This obligation aims at granting a secure channel for authentication and communication between ASPSPs and the abovementioned payment services providers, and can be satisfied either by:

  • Providing a dedicated interface to grant access (Option 1); or
  • Adapting the existing interface already used by the ASPSPs for the authentication and communication with their customers (Option 2).

If Option 1 is adopted, ASPSPs must ensure that – in case there is unplanned unavailability of the dedicated interface and that there is a systems breakdown – the payment services providers shall be allowed to make use of the interfaces made available to the customers for the authentication and communication with their ASPSPs, until the dedicated interface is restored to the regular level of availability and performance (fall-back option).

Bank of Italy may exempt the ASPSPs from providing this fall-back option provided that the dedicated interface meet certain requirements set forth in Article 33 (6) of the RTS on SCA and CSC.

In this regard, on January 4th, 2019, Bank of Italy provided ASPSPs with certain operating instructions for applying for the above exemption from the fall-back. These instructions provided also a strictly timeline allowing ASPSPs to provide Bank of Italy Authority with the needed information about the (i) dedicated interfaces, (ii) results of the stress tests and functionality tests required by Article 30 (5) of the RTS on SCA and CSC and (iii) conclusive evidence about the requirement of wide usage of the dedicated interfaces as provided for in the RTS on SCA and CSC.

EBA Recommendations on outsourcing to cloud service providers

The Italian legal framework currently in force, providing detailed rules for outsourcing of information systems and ICT critical resources, including for the use of cloud computing, are already compliant with the EBA Recommendations. Therefore, Supervisory Instructions for Banks requires only some specific amendments.

The main amendments are as follows:

  • To create updated registers of the activities outsourced to cloud service providers; and
  • To adopt a risk-based approach on data and processing data location.