This is independent of the obligation to report major operational or security incidents as defined in the EBA Guidelines on major incident reporting based on (EU) Regulation 2015/2366 (PSD2).
What is a supervisory incident and when do you need to report it?
An incident is defined as any behaviour or event posing a serious threat to your institution's ethical business operations. This is an open standard which, from a prudential supervision perspective, has its legal basis in the rules on sound and ethical operational management as meant in in Section 3:17 of the Financial Supervision Act (Wet op het financieel toezicht – Wft). We distinguish the following categories of supervisory incidents:
- Incidents related to the management of business processes and risks. Examples include non-compliance with supervision legislation or the involvement of one of your institution's management board or staff members in a serious offence, such as fraud, corruption or a conflict of interests.
- Incidents related to the financial soundness of your institution. Examples include inadequate control of financial risks in the event of unexpected losses or a capital shortfall.
- Incidents related to the smooth operation of the payment system. For example a disruption of the payment process following a cyberattack.
- Incidents related to a management or governance crisis For example the unexpected departure of a management or supervisory board member.
U kunt het incident aan DNB melden via uw accounttoezichthouder of mailen naar infobetaalinstelling@dnb.nl. Mocht een incident kwalificeren als major incident, kunt u voor uw melding het digitaal loket toezicht gebruiken.
You can report the incident to your account supervisor, or by email to infobetaalinstelling@dnb.nl. If an incident qualifies as a major incident, you can report it through the digital supervision portal (DLT).
Policy
As part of the duty to report supervisory incidents your institution must also have a policy in place to control the relevant risks, specifying your handling and recording of incidents. This policy helps you to demonstrate that you have complied with your statutory duty to report and that you have taken the necessary action to control risks and prevent incidents from recurring. It helps us to carry out adequate supervision.