Q&A on the Regulation on oversight of the smooth operation of the payment system

We have prepared this Q&A document for the sector to help institutions interpret the Regulation correctly.

Answer:

All payment methods that are used in mass non-cash retail payments come under the scope of the Regulation. We expect banks, payment institutions and electronic money institutions to be able to effectively manage all types of payments. From a risk-based supervision perspective, the focus of our supervision is on iDEAL and payment terminal transactions as time-critical payments, and on the functionalities used to submit credit transfers and urgent payments (online or via mobile banking) as non-time-critical payments. Credit cards also come under the scope of the Regulation, but are not part of our primary focus due to their relatively limited use. We evaluate our risk-based supervision activities on a regular basis.

Answer:

They are transactions initiated by a payer or payee, where the payment service providers of both the payer and the payee have their registered office in the Netherlands. Domestic transactions are transactions between payment accounts held with payment service providers that are based in the Netherlands – the country of residence of the payer and the payee is not relevant in this respect.

Availability/unavailability data

Pursuant to Section 6(1) of the Regulation, banks, payment institutions and electronic money institutions must effectively manage their operational risks relating to payment transactions. Their systems must be designed so as to ensure set levels of availability and security levels (the standard).

For time-critical payment orders, we consider the standard to be met if an availability of 99.88% is achieved during the peak demand period1 measured on a quarterly basis and 98.5% outside this period.

For non-time-critical payment orders, we consider the standard to be met if services are restored promptly, i.e. if payment orders can be placed again within two hours. If availability falls below the set levels, we may consider this a reason to investigate whether the standard has been breached.

If third parties perform parts of the transaction processes, institutions must safeguard the availability levels through contractual arrangements and monitoring.

Answer:

The purpose of availability data is to provide insight into actual availability. This means all forms of unavailability must be included, also in the event of contingency tests, disasters or calamities. An analysis of the causes of unavailability is an important part in our assessment of an institution's management of its operational risks.

Answer:

The peak demand period for POS transactions is the part of a day before 00:30 and after 06:00. The peak demand period for iDEAL transactions is the part of a day before 01:00 and after 06:30.

Answer:

Institutions must include those systems in the issuing domain for which they are responsible.

Answer:

Institutions must, as a minimum, publish their availability data for iDEAL and POS terminal transactions during both peak demand and low demand periods. They must publish them as weighted three-month averages, expressed as a percentage with two or more decimals. The data must be updated by the twelfth business day of each month, so as to ensure that these averages relate to the past three full calendar months. The institution must specify the date of publication or the three-month period to which the averages relate. The data published must remain available until four more sets of three-month averages have been published.

Availability data for debit card transactions

In the event of disruptions in debit card transactions, a stand-in functionality is often deployed.

Answer:

No, availability is measured in terms of hours, expressed as percentages, and not as numbers of transactions.

Answer:

Unavailability in POS terminal transactions is defined as the period during which both the institution and the stand-in functionality are unavailable. A formula to calculate availability data for POS terminal transactions is provided below.

^BP/dc = the availability in percentages of the POS / debit card payment product. There is a separate B_(P/dc hvt) and a separate B_(P/dc lvt ). These figures represent availability in the peak demand period and in the low demand period, respectively. Both figures are published on a monthly basis and relate to the availability figures over the past three months.

T = the time in minutes over the past three months.

T(peak demand period) = 18.5 * 60 * (the number of days in the previous three months) Each day contains 18.5 hours in the peak demand period, i.e. between 06:00 and 00:30.

T(low demand period) = 5.5 * 60 * (the number of days in the previous three months) Each day contains 5.5 hours in the low demand period, i.e. between 00.30 and 06.00.

∑ (^Ostand-in-provider) = the sum of the time in minutes over the past three months that the stand-in provider was unavailable, broken down by peak demand period and low demand period. Both figures are provided by the stand-in provider and used by the bank concerned to calculate POS/debit card availability.

Availability data for iDEAL transactions

Answer:

The availability data for iDEAL can be calculated using the following approach:

Notes:

^BiDEAL = the availability of iDEAL expressed as a percentage. There is a separate BiDEAL p and a separate BiDEAL l. These figures represent availability in the peak demand period and in the low demand period, respectively. Both figures are published on a monthly basis and relate to the availability figures over the past three months.

T = the time in minutes over the past three months.

T(p) is 18.5 * 60 times the number of days in the past three months (each day has a 18.5-hour peak demand period, i.e. between 06:30 and 01:00).

T(l) is 5.5 * 60 times the number of days in the past three months (each day has a 5.5-hour low demand period, i.e. between 01:00 and 06:30).

Σ(O) = the sum of the time in minutes over the past three months that the issuing domain was unavailable, broken down by peak demand period and low demand period. This sum includes all total unavailabilities and weighted partial unavailabilities. O is a unit of time.

Partial unavailability is included in Σ(O) according to the following formula:

SRstandard = the standard success rate in a disruption-free period over the past three months. This is the normal percentage of consumer-initiated iDEAL transactions leading to a successful payment. Banks can use their own acquiring reports (the success rates for each issuer can be derived from this) as a source for determining the success rate standard.

SRrealised = the success rate measured during a partial disruption. If a bank has a better method for calculating partial unavailability (and is able to substantiate this), it is of course free to use this.

Answer:

The minimum measurement accuracy is at least 1 measurement per minute. Institutions must be able to demonstrate that they are using an effective measurement method.

Maximum recovery time

Answer:

Yes, they are. The maximum recovery time requirement of 2 hours for non-critical payment orders relates to the possibility to initiate a payment order regardless of the channel (online, mobile banking or any other channel) and regardless of the cause of unavailability, so it also applies to scheduled maintenance for changes and contingency tests as well as to incidental disruptions or calamities. In assessing breaches of this requirement, we will in any event address (i) total unavailability for non-time-critical payment orders, (ii) the number of breaches of the maximum recovery time, (iii) the duration of such breaches and (iv) the specific circumstances of these breaches.

Subsidiary companies

Answer:

Yes, they are. If a subsidiary or brand effects non-cash payment transactions under the licence of its parent company, this subsidiary company or brand must also comply with the Regulation. The transactions of the subsidiary count towards the total number of non-cash transactions of the parent company.

Answer:

Subsidiaries can publish their own availability data on their own website, or the data can be incorporated in the availability data of the parent company. If the parent company does not have its own customers, the data must be published at the subsidiary level.

[1] This is the part of the day when most transactions are processed.

DISCLAIMER
Q&As provide further insight into our policy practice, because we use them to publish our interpretation of statutory supervisory rules. Institutions subject to our supervision may choose to comply with the laws and regulations in other ways, however. If they do so, they must be able to demonstrate that their interpretation complies with the applicable laws and regulations and substantiate this. To read more about the status of our policy statements, go to the Explanatory guide to DNB's policy statements on Open Book on Supervision.