Text size:

Description and continuity requirements of payment services and cash circulation

Issuer:Governor of Eesti Pank
Type:regulation
In force from:22.07.2018
In force until: In force
Translation published:30.07.2018

Description and continuity requirements of payment services and cash circulation

Passed 13.07.2018 Annex 7

This decree is adopted on the basis of subsection 37 (2) of the Emergency Act and subsection 3 (3) of the Credit Institutions Act.

§ 1.  Scope of the decree

 (1) This decree defines payment services and cash circulation as vital services (hereinafter collectively referred to as vital services), establishes requirements for the continuity of vital services and lays down the list of vital service providers.

 (2) The decree also stipulates requirements for the availability level of vital services and service provision readiness, as well as measures for the prevention of interruptions to vital services. It also establishes the procedure for the restoration of vital services and circumstances amounting to an emergency caused by an extensive or severe interruption to a vital service, as well as the procedure for reporting an emergency or a threat of emergency.

§ 2.  Providers of vital services

  Providers of vital services (hereinafter service provider) include:
 1) AS SEB Pank;
 2) Swedbank AS;
 3) Luminor Bank AS.

 (2) Eesti Pank shall revise the list of service providers at least once a year and update it as necessary.

§ 3.  Payment services

  Vital payment services include intra-bank payments by the service provider, payments between service providers and card payment services provided by the service provider.

§ 4.  Cash circulation

  Cash circulation as a vital service includes services which enable clients to make cash payments in payment accounts and withdraw cash from payment accounts.

§ 5.  Requirements for the prevention of interruptions to vital services

 (1) For the purposes of preparing the continuity risk assessment and plan referred to in subsection 39 (1) of the Emergency Act and in planning various measures, the service provider must consider at least the following threats:
 1) cyber attacks;
 2) failures in information systems and equipment;
 3) acts of terrorism;
 4) fires;
 5) long-term power outages;
 6) disruptions to phone, mobile phone and data communication services;
 7) riots;
 8) epidemics;
 9) strikes;
 10) floods.

 (2) For ensuring the continuity of the information systems and equipment required for performing the critical activities of vital services, the service provider shall take at least the following measures:
 1) ensure backup power supply by alternative cable routes;
 2) ensure backup data communications by alternative cable routes and a backup provider of data communication services;
 3) the systems and communications referred to in clauses 1) and 2) of this subsection switch automatically to backup;
 4) there is an autonomous power supply system, which starts automatically and ensures independent power supply for at least 24 hours.

§ 6.  Requirements for the availability level of vital services

 (1) In case of an emergency, the service provider shall ensure that:
 1) at least 10% of cash distribution points remain operative;
 2) payments between the accounts opened with the service provider and those with other service providers are settled at least once per settlement day;
 3) the service provider’s information systems or equipment, or any backup systems or equipment remain operative; cooperation with third parties helps to ensure card transactions take place;
 4) vital services are provided to an extent corresponding to 70% of the average number of the transactions relating to the relevant service under normal circumstances.

 (2) In determining the location of the cash distribution points referred to in clause (1) 1) of this section, the service provider shall consider the geographical coverage of the cash points, the population density in a particular region and the options normally available for taking out cash.

 (3) The service provider shall seek the approval of Eesti Pank as regards the location of cash distribution points referred to in clause (1) 1) of this section.

§ 7.  Permissible duration of interruption to vital services

 (1) A vital service is interrupted if due to failures in the delivery of the service, the number of service transactions falls below 20% of the average number of transactions for a comparable preceding period.

 (2) The maximum permissible duration of an interruption to a vital service shall be 12 hours.

 (3) The service provider shall calculate the ratio showing the extent of the interruption to the vital service, referred to in the regulation established under subsection 39 (5) of the Emergency Act, as a ratio of the interrupted or rejected client queries to the total number of client queries.

§ 8.  Requirements for outsourcing services in support of the principal activities

 (1) The outsourcing of services in support of the principal activities of the service provider (hereinafter outsourcing a service) refers to a situation where a critical activity as defined in the regulation established under subsection 39 (5) of the Emergency Act is fully or partially performed by an external service provider

 (2) Outsourcing a service shall not exempt the service provider from the obligations and responsibilities stipulated by the Emergency Act or any legal act based on the Emergency Act.

 (3) In case of outsourcing any of the services referred to in clauses 36 (1) 1), 3), 5), 6) and 7) of the Emergency Act, the provision of a vital service may not depend on companies who are not vital service providers.

 (4) In case of outsourcing a critical activity, as defined in the regulation established under subsection 39 (5) of the Emergency Act, with a level of criticality 16 or more, the provider of such service must comply with the security measures prescribed by section 7 of the Cybersecurity Act.

§ 9.  Restoration of vital services and restoration priorities

 (1) In case of an interruption to a vital service or a risk thereof, the service provider shall take the measures for resolving the situation, as described in the recovery plan of the continuity plan, ensuring the participation of persons and institutions involved in the restoration and utilisation of the vital service.

 (2) If possible, the service provider shall adhere to the following order of priorities in the restoration of a vital service:
 1) vital services are first restored in regions with higher population density;
 2) as a matter of priority, vital services are made available to other providers of vital services.

§ 10.  Emergencies caused by an extensive or severe disturbance or interruption to vital services

 (1) Emergencies caused by an extensive or severe disturbance or interruption to payment services include large-scale interferences affecting the continuity of an interbank settlement system, or the total cessation of the operation of the system.

 (2) Emergencies caused by an extensive or severe disturbance or interruption to cash circulation include large-scale interferences affecting the continuity of cash-in-transit, or the total cessation of cash-in-transit operations.

 (3) Resolving an emergency caused by an extensive or severe disturbance or interruption to a vital service shall be coordinated by Eesti Pank.

§ 11.  Reporting an interruption to vital services

 (1) The service provider shall report any interruption to a vital service lasting for at least one hour, a risk of an interruption, any event significantly interfering with the continuity of the vital service or an impending risk of such an event at the email address toimepidevus@eestipank.ee on the next business day at the latest.

 (2) The notification referred to in subsection (1) of this section must include the following information:
 1) the duration and time of occurrence of the interruption, including the date and time or the interval;
 2) a short description and the known or assumed cause of the incident;
 3) the measures already taken or yet to be taken to restore the service and to mitigate the effects of the interruption;
 4) information about any foreseeable losses incurred by the users of the service;
 5) information about any foreseeable impact on the continuity of the vital services.

 (3) If a situation referred to in subsection (1) of this section has not been resolved within four hours or if the risk of an interruption to a vital service persists, the service provider shall give a preliminary notification with the information described in subsection (2) of this section at the earliest opportunity and a full notification on the following business day at the latest. The preliminary notification shall include at least the information described in clauses (2) 1) and 2) of this section and the estimated duration of the disturbance.

 (4) In case the service provider reports the information described in subsection (3) of this section to Eesti Pank under another legal act, the notification obligation stipulated in this section shall be deemed fulfilled.

 (5) In case the e-mail services are not functioning, the service provider shall notify Eesti Pank of circumstances described in subsection (1) of this section using the contact information provided in emergency response plans.

§ 12.  Repeal of decree

  Eesti Pank Governor’s decree no 4 ‘List of credit institutions and branches of foreign credit institutions providing a vital service’ of 28 February 2017 is repealed.

§ 13.  Entry into force

  Subsection 6 (1) of this decree enters into force of 1 July 2020.

Ardo Hansson
Governor