Reporting under PSD2

New reporting requirements under PSD2.

­­­­PSD2 introduces the following new reporting requirements:

Statistical data on payments fraud 

At least every year, PSPs must send their competent authorities statistical data on fraud affecting different types of payment. Competent authorities must provide this information in an aggregated form to the European Banking Authority (EBA) and European Central Bank (ECB).

Assessments of operational and security risks measures

At least every year, PSPs must send their competent authorities  an updated and comprehensive assessment of the operational and security risks to  their payment services. They must also include information on the effectiveness of the mitigation measures and control mechanisms they have brought in.

Reporting from inward passporting firms

Member States may require payment institutions that have agents or branches in their territories to report to them periodically on the activities they carry out in their territories

Incident Reporting

PSPs must notify their competent authorities as soon as possible if they become aware of a major operational or security incident. When the competent authority receives this notification they will be required to give the EBA, the ECB and any other relevant authorities in the Member State relevant details.


PSD2 is being implemented in the UK through the Payment Services Regulations 2017, which the Treasury consulted on in February 2017.

We issued a consultation to reflect the Treasury’s new regulations in April 2017. This included proposals for reporting on payments fraud. We will also issue a further consultation on forms, such as those for incident reporting and operational risk in mid-2017.

We issued a smaller follow-up consultation which included proposals for incident reporting under PSD2 in July 2017.