Outdated browser

You are using an outdated browser. DNB.nl works best with:

Q&A on the Regulation on oversight of the smooth operation of the payment system

Q&A

Based on the Regulation on oversight of the smooth operation of the payment system (the Regulation), DNB is responsible for oversight of banks, payment institutions and electronic money institutions that carry out 120 million or more non-cash payments every year. The Regulation lays down the requirements these institutions must consider in setting up their operational management so as to ensure the smooth operation of the payment system. 

Published: 04 June 2018

Latest update: 27 June 2022

We have prepared this Q&A document for the sector to help institutions interpret the Regulation correctly.

Question: 

Which payment methods come under the scope of the Regulation?

Answer:

All payment methods that are used in mass non-cash retail payments come under the scope of the Regulation. We expect banks, payment institutions and electronic money institutions to be able to effectively manage all types of payments. From a risk-based supervision perspective, the focus of our supervision is on iDEAL and payment terminal transactions as time-critical payments, and on the functionalities used to submit credit transfers and urgent payments (online or via mobile banking) as non-time-critical payments. Credit cards also come under the scope of the Regulation, but are not part of our primary focus due to their relatively limited use. We evaluate our risk-based supervision activities on a regular basis.

Question:

What is meant by a transaction within the Netherlands?

Answer:

They are transactions initiated by a payer or payee, where the payment service providers of both the payer and the payee have their registered office in the Netherlands. Domestic transactions are transactions between payment accounts held with payment service providers that are based in the Netherlands – the country of residence of the payer and the payee is not relevant in this respect.

Availability/unavailability data

Pursuant to Section 6(1) of the Regulation, banks, payment institutions and electronic money institutions must effectively manage their operational risks relating to payment transactions. Their systems must be designed so as to ensure set levels of availability and security levels (the standard).

For time-critical payment orders, we consider the standard to be met if an availability of 99.88% is achieved during the peak demand period1 measured on a quarterly basis and 98.5% outside this period.

For non-time-critical payment orders, we consider the standard to be met if services are restored promptly, i.e. if payment orders can be placed again within two hours. If availability falls below the set levels, we may consider this a reason to investigate whether the standard has been breached.

If third parties perform parts of the transaction processes, institutions must safeguard the availability levels through contractual arrangements and monitoring.

Question:

Which forms of unavailability must be included in the availability data?

Answer:

The purpose of availability data is to provide insight into actual availability. This means all forms of unavailability must be included, also in the event of contingency tests, disasters or calamities. An analysis of the causes of unavailability is an important part in our assessment of an institution's management of its operational risks.

Question:

When is the peak demand period?

Answer:

The peak demand period for POS transactions is the part of a day before 00:30 and after 06:00. The peak demand period for iDEAL transactions is the part of a day before 01:00 and after 06:30.

Question:

Which systems should institutions include in determining their availability data?

Answer:

Institutions must include those systems in the issuing domain for which they are responsible.

Question:

What are the rules for publishing availability data?

Answer:

Institutions must, as a minimum, publish their availability data for iDEAL and POS terminal transactions during both peak demand and low demand periods. They must publish them as weighted three-month averages, expressed as a percentage with two or more decimals. The data must be updated by the twelfth business day of each month, so as to ensure that these averages relate to the past three full calendar months. The institution must specify the date of publication or the three-month period to which the averages relate. The data published must remain available until four more sets of three-month averages have been published.

Availability data for debit card transactions

In the event of disruptions in debit card transactions, a stand-in functionality is often deployed.

Question:

Must the number of debit card transactions that is rejected during a stand-in due to stand-in limit breaches be included in the unavailability data?

Answer:

No, availability is measured in terms of hours, expressed as percentages, and not as numbers of transactions.

Question:

How should availability data for POS terminal transactions be calculated?

Answer:

Unavailability in POS terminal transactions is defined as the period during which both the institution and the stand-in functionality are unavailable. A formula to calculate availability data for POS terminal transactions is provided below.

Regeling Oversight goede werking betalingsverkeer 01

BP/dc = the availability in percentages of the POS / debit card payment product. There is a separate B_(P/dc hvt) and a separate B_(P/dc lvt ). These figures represent availability in the peak demand period and in the low demand period, respectively. Both figures are published on a monthly basis and relate to the availability figures over the past three months.

T = the time in minutes over the past three months.

T(peak demand period) = 18.5 * 60 * (the number of days in the previous three months) Each day contains 18.5 hours in the peak demand period, i.e. between 06:00 and 00:30.

T(low demand period) = 5.5 * 60 * (the number of days in the previous three months) Each day contains 5.5 hours in the low demand period, i.e. between 00.30 and 06.00.

∑ (Ostand-in-provider) = the sum of the time in minutes over the past three months that the stand-in provider was unavailable, broken down by peak demand period and low demand period. Both figures are provided by the stand-in provider and used by the bank concerned to calculate POS/debit card availability.

Availability data for iDEAL transactions

Question:

How should the availability for iDEAL be calculated?

Answer:

The availability data for iDEAL can be calculated using the following approach:

Regeling Oversight goede werking betalingsverkeer 02

Notes:

BiDEAL = the availability of iDEAL expressed as a percentage. There is a separate BiDEAL p and a separate BiDEAL l. These figures represent availability in the peak demand period and in the low demand period, respectively. Both figures are published on a monthly basis and relate to the availability figures over the past three months.

T = the time in minutes over the past three months.

T(p) is 18.5 * 60 times the number of days in the past three months (each day has a 18.5-hour peak demand period, i.e. between 06:30 and 01:00).

T(l) is 5.5 * 60 times the number of days in the past three months (each day has a 5.5-hour low demand period, i.e. between 01:00 and 06:30).

Σ(O) = the sum of the time in minutes over the past three months that the issuing domain was unavailable, broken down by peak demand period and low demand period. This sum includes all total unavailabilities and weighted partial unavailabilities. O is a unit of time.

Partial unavailability is included in Σ(O) according to the following formula:

Regulation on oversight of the smooth operation of the payment system

SRstandard = the standard success rate in a disruption-free period over the past three months. This is the normal percentage of consumer-initiated iDEAL transactions leading to a successful payment. Banks can use their own acquiring reports (the success rates for each issuer can be derived from this) as a source for determining the success rate standard.

SRrealised = the success rate measured during a partial disruption. If a bank has a better method for calculating partial unavailability (and is able to substantiate this), it is of course free to use this.

Question:

What is the minimum measurement accuracy for iDEAL?

Answer:

The minimum measurement accuracy is at least 1 measurement per minute. Institutions must be able to demonstrate that they are using an effective measurement method.

Maximum recovery time

Question:

Does the maximum recovery time requirement of 2 hours also apply to scheduled maintenance for changes and contingency tests?

Answer:

Yes, they are. The maximum recovery time requirement of 2 hours for non-critical payment orders relates to the possibility to initiate a payment order regardless of the channel (online, mobile banking or any other channel) and regardless of the cause of unavailability, so it also applies to scheduled maintenance for changes and contingency tests as well as to incidental disruptions or calamities. In assessing breaches of this requirement, we will in any event address (i) total unavailability for non-time-critical payment orders, (ii) the number of breaches of the maximum recovery time, (iii) the duration of such breaches and (iv) the specific circumstances of these breaches.

Subsidiary companies

Question:

Do subsidiaries also have to comply with the Regulation?

Answer:

Yes, they are. If a subsidiary or brand effects non-cash payment transactions under the licence of its parent company, this subsidiary company or brand must also comply with the Regulation. The transactions of the subsidiary count towards the total number of non-cash transactions of the parent company.

Question:

Do subsidiary companies also have to publish their availability data?

Answer:

Subsidiaries can publish their own availability data on their own website, or the data can be incorporated in the availability data of the parent company. If the parent company does not have its own customers, the data must be published at the subsidiary level.

[1] This is the part of the day when most transactions are processed.

DISCLAIMER
Q&As provide further insight into our policy practice, because we use them to publish our interpretation of statutory supervisory rules. Institutions subject to our supervision may choose to comply with the laws and regulations in other ways, however. If they do so, they must be able to demonstrate that their interpretation complies with the applicable laws and regulations and substantiate this. To read more about the status of our policy statements, go to the Explanatory guide to DNB's policy statements on Open Book on Supervision.