On March 14th 2019, the CSSF published:
- CSSF Circular 19/712 (the “Fraud Data CSSF Circular”) adopting the guidelines of the European Banking Authority (“EBA”) on reporting requirements for fraud data under Article 96(6) of Directive (EU) 2015/2366 on payment services (“PSD2”) - EBA/GL/2018/05, and
- CSSF Circular 19/713 (the “Security Measures CSSF Circular”) adopting the EBA guidelines on the security measures for operational and security risks of payment services under PSD2 - EBA/GL/2017/17.
The Security Measures CSSF Circular took effect immediately whereas the Fraud Data CSSF Circular shall only take effect from January 1st 2020.
According to Article 105-2 of the Luxembourg law of 10 November 2009 on payment services, as amended (the “2009 Law”), payment services providers (“PSPs”) shall provide the CSSF, at least on an annual basis, with statistical data on fraud relating to the different means of payment which the CSSF, in turn, provides, in aggregate form, to the EBA and the European Central Bank (the “ECB”). The EBA guidelines adopted by the Fraud Data CSSF Circular provide details on how such statistical data on fraud shall be reported to the relevant competent authorities by clarifying the types of payment transactions and fraudulent payment transactions to be reported as well as the reporting frequency, reporting timelines and reporting periods. In addition to clarifying the half yearly reporting periods, the Fraud Data CSSF Circular explains that the fraud reporting is to be provided even if no fraud occurred during the reporting period. Furthermore, in case an adjustment to a previous report is required, PSPs should submit the revised reporting table (in accordance with the applicable technical instructions), indicating the relevant past reporting period.
According to Article 105-1(2) of the 2009 Law, PSPs shall provide to the CSSF, at least on an annual basis, an up-to-date and comprehensive assessment of the operational and security risks associated with the payment services they provide, and information on the adequacy of the mitigation measures and control mechanisms which have been implemented so as to address these risks. The EBA guidelines adopted by the Security Measures CSSF Circular provide details with regard to the annual auditing requirements as regards the security measures taken and the annual reporting requirements regarding the assessment of major operational and security risks. The Security Measures CSSF Circular clarifies the form and time frame in which the above-mentioned assessments and information must be provided to the CSSF.