The Bank of Albania prepares the regulation for the reporting of major incidents by payment operators

2023-11-02 07:38:00, Ekonomi CNA

The Bank of Albania prepares the regulation for the reporting of major incidents

Illustrative photo

The Bank of Albania has prepared a draft regulation, according to which all licensed payment institutions must report major incidents. The draft regulation follows a wave of cyber attacks that the financial and financial sector has faced in the last two years.

The draft regulation "On the reporting of major incidents" aims to define the criteria for the classification of operational or security incidents as major incidents, by payment service providers and the reporting format and procedures that payment service providers must follow to notify the Bank of Albania.

Major incidents shall be defined as operational or security incidents, which may be a single event or a series of related events, unplanned by the payment service provider, that has or is likely to have a negative impact on the integrity, availability , confidentiality or authenticity of payment-related services.

Payment service providers evaluate an operational or security incident, considering criteria.

Such will be the transactions affected by the incident, for which the payment service providers determine their total value, as well as the number of compromised payments, as a percentage of the regular level of payment transactions carried out through the payment services of affected by the incident.

Another criterion will be the number of payment service users affected by the incident, for which payment service providers determine their number, in absolute value and as a percentage of the total number of payment service users.

Another criterion will be the breach of network or information systems security, for which payment service providers determine whether any malicious action has compromised the security of the network or information systems related to the provision of payment services.

The classification will also be based on the duration of service interruption for which payment service providers define the period of time when the service is likely to be unavailable to the payment service user.

Also, the criterion will be the economic impact, for which payment service providers determine the monetary costs associated with the incident in a holistic manner and take into account the absolute value, and when applicable, also the relative importance of these costs, in relation to the magnitude of payment service providers; high level of internal escalation, for which payment service providers determine whether the incident has been reported or is likely to be reported to the entity's executives; eventually, other payment service providers or related infrastructures that may be affected by the incident, for which the payment service providers determine the systemic impacts that the incident is likely to have, ie. the possibility that the effect of the incident will spread beyond the initially affected payment service provider to other payment service providers, financial market infrastructures or payment schemes; reputational impact, for which payment service providers determine how the incident may undermine the trust of payment service users in the payment service provider itself and, in general, in the basic service provided or in the market as a whole.

Payment service providers must submit the initial report to the Bank of Albania within 4 hours of the operational or security incident being classified as a major incident.

Subsequently, the payment service providers must submit the interim report to the Bank of Albania, when their regular activity has recovered and business has returned to normal, notifying the Bank of Albania of this circumstance.

Payment service providers consider their business to be back to normal when their operations return to the same level of service and when the emergency measures are no longer in force.

The interim report should contain a more detailed description of the incident and its consequences. In the case when the regular activity has not been recovered, payment service providers submit an interim report to the Bank of Albania, within 3 working days from the date of submission of the initial report.

In a third stage, the payment service providers submit a final report to the Bank of Albania, once the root cause analysis of the incident has been carried out and when real figures are available to replace any preliminary assessment.

Payment service providers submit the final report to the Bank of Albania, within a maximum period of 20 working days, after the business is considered to be back to normal./ Monitor Magazine