List of Q&As

Asset denominated in one currency and funded in a different currency subject to a FX Swap exchanging those two currencies

For the purpose of the credit risk standard risk-weight attribution, can we consider that 1) an asset denominated in one currency and funded in a different currency subject to a FX Swap exchanging those two currencies is equivalent to 2) an asset denominated and funded in the same currency?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2018_3832| Topic: Credit risk| Date of submission: 04/05/2018

Liability for fraud when SCA exemption used

Who is liable for fraud on Strong Customer Authentication (SCA) exempted transactions? Which payment service provider (PSP) is liable (payer’s or payee’s) when both PSPs choose to trigger an exemption to SCA?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2018_4042| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 28/06/2018

Confidentiality of offline PIN

Should the PIN transmitted offline from a terminal to an Europay, MasterCard and Visa (EMV) card always be enciphered? 

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4055| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 28/06/2018

Responsibility for comprehensive assessment according to Article 95(2) PSD2

It is not clear, whether comprehensive assessment of the operational and security risks relating to the payment services has to be carried out by the payment service providers (PSP), or it can be delegated / outsourced to a third entity (e.g. external audit firm). In case this is a responsibility of the PSP, it is not clear, whether it has to be carried by the independent internal audit department, or it has to be carried out by the department responsible for the risk function in the PSP.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 - Guidelines on security measures for operational and security risks under PSD2 - repealing EBA/GL/2017/17

ID: 2018_4231| Topic: Security measures for operational and security risks| Date of submission: 06/09/2018

COREP C06.01 template - Consistency of the EBA taxonomy control v6288_m

Is the control v6288_m consistent with the COREP ITS?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2019_4537| Topic: Supervisory reporting - COREP (incl. IP Losses)| Date of submission: 11/02/2019

Development Banks in the template C 33.00 General Government Exposure

Are development banks included in the definition of general government exposures (paragraph 42 (b) of Annex V ITS no. 680/2014) and should be reported in the template C33.00 General Government Exposures?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2018_4276| Topic: Supervisory reporting - COREP (incl. IP Losses)| Date of submission: 17/09/2018

C 17 template

Is it possible to include the positive impacts of operational risk errors in template C 17.00?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2018_4208| Topic: Supervisory reporting - COREP (incl. IP Losses)| Date of submission: 21/08/2018

Adjustments due to IFRS 9 transitional arrangements included in RWAs and interaction with validation rule v3689_s in template C5.01.

In template C5.01 validation rule v3689_s states that R010 C040 cannot be negative, should R010 C040 be excluded from this validation rule?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2018_4189| Topic: Supervisory reporting - COREP (incl. IP Losses)| Date of submission: 08/08/2018

FINREP: COUNTERPARTY BREAKDOWN: HOUSEHOLDS

Can Personal Investment Companies (PIC) be seen as households in the Finrep counterparty breakdown? Personal investment company (PIC) means an undertaking or a trust whose owner or beneficial owner, respectively, is a natural person or a group of closely related natural persons, which was set up with the sole purpose of managing the wealth of the owners and which does not carry out any other commerical, industrial or professional activity.

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2015_2368| Topic: Supervisory reporting - FINREP (incl. FB&NPE)| Date of submission: 02/10/2015

MREL requirement if resolution strategy is liquidation (no bail-in tool used)

Question 1:   Should the MREL requirement be set for a bank if its resolution strategy is liquidation and there is no plan to use a bail-in tool?   Question2:   What is the legal basis and the rationale for setting the MREL requirement for the bank if its resolution strategy is liquidation and there is no plan to use a bail-in tool?

Legal act: Directive 2014/59/EU (BRRD) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2018_4253| Topic: MREL| Date of submission: 10/09/2018

Calculation of institution-specific countercyclical capital buffer rates

Should the calculation of the institutions-specific countercyclical buffer rate include capital requirements arising from measures taken in accordance with Article 458 in Regulation (EU) No 575/2013 (CRR)?

Legal act: Directive 2013/36/EU (CRD) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2018_4220| Topic: Other topics| Date of submission: 30/08/2018

Scope of the corporate SCA exemption.

Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4693| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 02/05/2019

"Authorisation number" in eIDAS certificates

There are two possible interpretations of the Regulation (EU) 2018/389 (RTS) Article 34 paragraph (2) in the case of payment service providers registered in Member State “A”:1) The authorisation number is the number of the resolution of the NCA (or its predecessor in title) authorising the provision of payment services for the specific PSP, which is not the same as the Registration number appearing in the NCA’s public register.2) The authorisation number is the Registration number appearing in the NCA’s public register (which is a reference number formed based on the VAT number).Please clarify whether interpretation 2) above is in line with the requirements of the RTS? Please clarify whether the 8-digit Registration number (based on the VAT number) appearing in the NCA’s public register, and appearing as “National Identification Number” in the EBA PSD2 register or as “National Reference” in the EBA credit institution register can be used as the “authorisation number” in eIDAS certificates?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4679| Topic: Central register of the EBA| Date of submission: 23/04/2019

Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Please clarify  whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4586| Topic: Other topics| Date of submission: 28/02/2019

Qualified certificate under eIDAS for ASPSP

Is it required for an Account Servicing Payment Service Provider (ASPSP) to use qualified certificates under eIDAS to identify itself to a Third Party Provider (TPP)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4413| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 10/12/2018

Secure corporate payment processes and protocols

Are USB drives (containing a certificate) used only by corporate clients compatible with RTS requirements?Can USB drives be considered as payment processes exempted from strong customer authentication ?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4400| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 04/12/2018

ASPSP providing updated payment status to PISP

Are account servicing payment service providers (ASPSPs) required to provide information on the initiation and execution of the payment transaction, including updates, in order for a payment initiation service provider (PISP) to comply with Article 46(a) PSD2 and pursuant to Article 36(1)(b) RTS?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4601| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 11/03/2019

Applicability of SCA to electronically processed SEPA Direct Debits / Interpretation of EBA Q&A 2018_4359

Are mandates for direct debits which are set up without direct involvement of the payer’s PSP subject to SCA requirements?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4664| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 10/04/2019

Currency conversion of the EUR thresholds contained in the RTS

May payment service providers (PSPs) and card schemes set rounded and easily understandable non-EUR currency equivalents for the EUR thresholds set out in the RTS?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4040| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 28/06/2018

Testing eIDAS certificates before 14 September 2019

How can Third Party Providers (TPPs) and Account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4138| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 18/07/2018