List of Q&As

Authorisation for the provision of PIS and AIS on behalf of other legal entities belonging to the same corporate group / Autorizzazione ad offrire servizi di PIS e AIS per conto di altre Legal Entity appartenenti allo stesso Gruppo societario

In a corporate group which is not listed in the register of banking groups and in which there is both an electronic money institution and a credit institution, can the electronic money institution offer payment initiation services (PIS) and account information services (AIS), including on behalf of the group’s credit institution that also provides the same service? Must the electronic money institution as a service provider offering PIS and AIS to clients of the group’s credit institution provide its own certificate, the group certificate, or the credit institution’s certificate to the other account servicing payment service providers (ASPSPs)? Or, as it is merely a service provider, is it the credit institution’s certificate that should be displayed? Can a corporate group request a group certificate to provide to the other ASPSPs and/or third party providers (TPPs)? *** IT:  In un Gruppo societario, che non è iscritto al registro dei Gruppi Bancari e al cui interno sono presenti sia un Istituto di moneta elettronica che un Ente creditizio, l’Istituto di moneta elettronica può offrire i servizi di PIS e AIS, anche per conto dell’Ente creditizio del Gruppo in qualità di fornitore del servizio stesso? L’Istituto di moneta elettronica che offre i servizi di PIS e AIS ai clienti dell’Ente creditizio di Gruppo, in qualità di fornitore del servizio, si deve presentare verso gli altri ASPSP con il proprio certificato, con il certificato di Gruppo oppure con il certificato dell’Ente creditizio? O in quanto mero fornitore del servizio, il certificato da esporre è quello dell’Ente creditizio? Un Gruppo societario può richiedere un certificato di Gruppo per presentarsi alle altre ASPSP e/o TPP?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4752| Topic: Authorisation and registration| Date of submission: 29/05/2019

Losses due to fraud per liability bearer / Perdite dovute a frode per portatore di responsabilità

Please clarify the requirement in guideline 1.6 (b) of the EBA Guidelines on fraud reporting under PSD2 with regard to recognising losses due to fraud per liability bearer. *** IT: Si chiede cortesemente di chiarire il requisito espresso all'interno dell'orientamento 1.6(b) in materie di obblighi di segnalazione delle perdite dovute a frode per portatore di responsabilità

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5008| Topic: Fraud reporting| Date of submission: 19/11/2019

SCA profiles and multiple-use of devices

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4560| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 19/02/2019

Relying on vendor mechanisms processing the biometric data for strong customer authentication; Multiple fingerprint samples stored on a mobile device and used for purpose of user authentication.

Are the obligations of a payment service provider (PSP) laid down in the Article 8 of RTS on strong customer authentication and secure communication fulfilled in case the biometric credentials of customer are stored at the device level and the strong customer authentication itself is processed by the mobile device? In this context, are the obligations of the PSP laid down in Article 8 and 24 of RTS on Strong Customer Authentication fulfilled in case the mobile device stores multiple fingerprint samples for user authentication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4651| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 01/04/2019

Delayed or deferred PIN for wearable devices

Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4783| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 17/06/2019

Whitelisting

Will a clearing house for distribution be enabled to facilitate the on-going maintenance of the whitelisting process?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4800| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 19/06/2019

Failed Authentication Code

Please clarify under what circumstances Article 4 Paragraph 3(a) of the Regulation (EU) 2018/389 – RTS on SCA and SC might it be impossible to apply in remote authentication where SMS based One time passwords (OTPs) are used as the authentication method.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4875| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 16/08/2019

Authentication code

Is an extra strong customer authentication (SCA) required, after logging in (with or without SCA) in the mobile application, to initiate the provisioning step to add the customers card to a third party wallet (e.g. Apple or Google pay)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4910| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 12/09/2019

SCA for contactless payments at a POS executed via a mobile device

1) Can we consider the strong customer authentication (SCA) outsourced from the issuer of cards to the payer? 2) Is it necessary for the issuer of the cards to perform SCA based on the elements of identification that are beyond its control?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4937| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 07/10/2019

"Push based" authentication and SCA requirements

Does "push based" authentication fall in the Strong customer authentication (SCA) requirements, based on the security risks "push authentication" poses?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4984| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 05/11/2019

Treatment of secured lending or capital market-driven transactions that would require an outflow rate higher than 25 % but they have been closed with eligible counterparties

Delegated Regulation (EU) 2018/1620 in article 1 (17) (a) states that a 25% outflow rate has to be applied to secured lending or capital market-driven transactions, closed with eligible counterparties, that would require an outflow rate higher than 25 %. Based on the new LCR Templates published on EBA websites and Delegated Regulation (EU) 2018/1620, it’s not clear in which row these transactions should be reported. Could you provide some instructions for the right reporting?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_5036| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 10/12/2019

Treatment of Central Bank Overnight deposits in ALMM Template C71

Should central bank fixed term overnight deposits be included within ALMM Template C71 Row 120 "ALL OTHER ITEMS USED AS COUNTERBALANCING CAPACITY"?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_5028| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 05/12/2019

C66: undrawn ECB open market operations backed with pre-positioned own issuances (retained CB or ABS) as “Undrawn committed facilities received”.

In the specific case of own issued (Retained Covered Bonds or ABS) pre-positioned assets in collateral pools with the Central Bank. Can the amount of additional funding that could be obtained out of such pre-positioned assets be reported in the counterbalancing section of C66 template in the row 1000 as “Undrawn committed facilities received”? In particular, undrawn part of ECB open market operations backed but those assets.

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_5012| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 25/11/2019

EBA validations rules for DPM 2.8 with reference to rule V3975_S.

According Q&A 2014_1203, interest income/expenses generated by hedge accounting derivatives used to hedge interest risk shall be presented "according to the contribution of the hedged instrument to profit or loss, i.e. in the column corresponding to the interest expenses / income of the hedged instrument, and therefore, with a negative sign. Validation rules v3900_s and v5693_s have been demoted non-blocking also to allow for that treatment." The Q&A 2014_1203 refers to templates F02.00 “Statement of profit or loss” (rows 070 and 130) and F16.01 “Interest income and expenses by instrument and counterparty sector” (row 250), but does not consider the template F 31.2 “Related parties: expenses and income generated by transactions with” (rows 010 and 020, column 010).

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_5005| Topic: Supervisory reporting - FINREP (incl. FB&NPE)| Date of submission: 18/11/2019

The additional column C015 “Code” to template C 67.00 contains ambiguity in the Annex IV guidance under the ITS to be implemented at Mar-20: 1.2.8.015 “This code is a row identifier and shall be unique for each row in the template”. It is unclear what identifiers are required in column C015.

The additional column C015 “Code” to template C 67.00 contains ambiguity in the Annex IV guidance under the ITS to be implemented at Mar-20: 1.2.8.015 “This code is a row identifier and shall be unique for each row in the template”. It is unclear what identifiers are required in column C015. The annotated template released in DPM 2.9.1 under ‘Changes compared to previous version phase 2.9.1’ for COREP states that “Metric = (si289) Entity code [si]”. However the guidance does not specify what this entity code is required to be, and the cell appears to require a free-text value (si289 does not appear to be included in the list of values in the 2.9.1 release documentation). In final ITS 2019/01 “Final Report on Draft Implementing Standards amending Implementing Regulation (EU) No 680/2014 with regard to COREP” and the associated Annex IV “Instructions for completing the additional monitoring tools template of Annex XVIII” a new column is added to C 67.00 (C015 “Code”) – what values are required to be populated in this column?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4998| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 12/11/2019

Treatment of fiduciary assets for the purpose of asset encumbrance reporting

Do fiduciary assets have to be included in asset encumbrance reporting?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4969| Topic: Supervisory reporting - Asset Encumbrance| Date of submission: 28/10/2019

Failed validation checks due to the implementation of a new separate line item ‘cash contributions to resolution funds and deposit guarantee schemes’ (r385) in template F 02.00 and missing consistent change in template F 20.03 under DPM 2.9

Regardless of an institution’s view on the nature of cash contributions to resolution funds and deposit guarantee schemes in the financial statements, the introduction of a new separate line item ‘cash contributions to resolution funds and deposit guarantee schemes’ (r385) in template F 02.00 under DPM 2.9 combined with an unchanged template F 20.03 leads to a break of blocking validation rules. That shows the need for further guidance or requires an adjustment of template F 20.03 in conformity with the structure of template F 02.00 regarding single line items and totals items.

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4943| Topic: Supervisory reporting - FINREP (incl. FB&NPE)| Date of submission: 10/10/2019

Definition of 'carrying amount’ for the purposes of templates C60.00 and C61.00

In the guidance annexes of DPM 2.8 for C 60.00 and C 61.00 templates the reporting amount has been further specified as ‘carrying amount’ however the breakdown of the template requires the amounts to be broken down according to the actual expected payments which suggests Cashflow. The Cashflow and the Carrying value can differ significantly due to changes in market value or impairments in the case of assets. For reporting purposes of the two above mentioned reports is it expected to split the carrying value across the time buckets based on when the cashflows are expected to be paid/received or to report the carrying value according to the residual maturity of the contract?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4908| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 11/09/2019

Discrepencies between the "instructions" and the Data Point Model for the Maturity Ladder C66.01 COREP report

We have noted some discrepencies between the information we can find in the instructions and in the DPM. For instance, for the row 090 "1.2.1.1.1 Level 1 central bank ", the instructions for the COREP ALMM Maturity Ladder report C66.01 stipulate "The amount of cash outflows reported in item 1.2.1.1 which is collateralised by assets representing claims on or guaranteed by central banks. ", while in the sheet C66.01.a of the "Annotated Table Layout 281-COREP 2.8.1.1-Errata.xlsx" file it is specified that the central bank test must be done on the "counterparty sector" of the transaction, rather than on the "counterparty sector" of the collateral. An other example is the row 020 "1.1.1 Unsecured Bonds Due", for which the instructions do not require explicitely to exclude hybrid debt, while in the sheet C66.01.a of the "Annotated Table Layout 281-COREP 2.8.1.1-Errata.xlsx" file it is specified that the "Main Category" is "Debt securities issued. Other than Hybrid contracts". The general question is the following: when there is a discrepency between the instructions and what we can find in the DPM, is it correct to assume that the instructions do contain the correct requireement ? If not, what are the correct requirements for the above two cases?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4907| Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)| Date of submission: 09/09/2019

Classification of collective investment undertakings

The classification of investment funds (collective investment undertakings) in FINREP table F 1.1 is not clear as there seems to be a contradiction between the reference to IAS 32 on the one side and Annex V on the other side. Should investment funds be treated as debt or as equity?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4894| Topic: Supervisory reporting - FINREP (incl. FB&NPE)| Date of submission: 04/09/2019