Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Conditions for the filling of template C 33.00

If a bank will move to IFRS9 accounting standards starting from 1 July 2018, the first date for the Corep reporting under IFRS9 will be 30 September 2018. Therefore, at 30 June 2018 the new logic of the IFRS9 accounting portfolios is not available in data systems and it would be difficult to complete the new model C 33.00. We would like to know if the bank still need to fill in the template C 33.00 at 30 June 2018 and, if so, what logic it has to use.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4072
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 06/09/2019

Communication plans to inform payment service providers making use of the dedicated interface

Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4071
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4068
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

COREP template C 05.01-validation rule v0269

Is it correct that the formula in COREP Table C 05.01, r100,c040 does not take into account the new cell r440,c040 (Adjustments due to IFRS 9 transitional arrangements)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4066
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 15/03/2019

Accessing payment account online in web browser shall exceed not 5 minutes without acitvity

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4065
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Inconsistency in validation rule eba_v4721_m

Validation rule v4721_m, is introduced for template C 07.00. R015 of C 07.00 template is reported for exposures classes “016-Equity” and “012- Items associated with particularly high risk”, as well as the “001-Total” template. C 07.00 r015 of CRSA has the same reporting nature as C 07.00 r040 and all the memorandum items in C 07.00 i.e. they are reported in specific exposure classes but they are reported in total as well. Additionally, ITS on “REPORTING ON OWN FUNDS AND OWN FUNDS REQUIREMENTS” under section 3.2.2 “Scope of the CR SA template” par. 49 states that “The information in CR SA is requested for the total exposure classes and individually for each of the exposure classes as defined for the standardised approach. The total figures as well as the information of each exposure class are reported in a separate dimension.” denoting that sheet “001 – Total” is the sum of all the subsequent sheets falling under C 07.00. Therefore we believe that “001 – Total” sheet of C 07.00 has been correctly populated.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4064
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 11/01/2019

Exemption for secure corporate payment processes and protocols

May lodged and virtual cards benefit from the exemption for secure corporate payment processes and protocols under Article 17 RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4060
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Transactions initiated via Interactive Voice Response (IVR) solutions

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4058
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

SCA at vending machines without PIN pad

Do transactions at vending machines without PIN pad require Strong Customer Authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4057
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/08/2019

Application of the exemption for transactions to trusted beneficiaries to Face-to-Face transactions

May the exemption for transactions to trusted beneficiaries (‘white-listing’) set out in Article 13 of Regulation (EU) 2018/389 (RTS on strong customer authentication and secure communication) apply to face-to-face transactions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4056
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/09/2018

Confidentiality of offline PIN

Should the PIN transmitted offline from a terminal to an Europay, MasterCard and Visa (EMV) card always be enciphered? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4055
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/07/2019

Confidentiality of the application cryptogram for EMV transactions

Are EMV (Europay, MasterCard, Visa)  transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4054
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019

Length of authentication codes

Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4053
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

EMV cards and EMV terminals supporting online authentication

Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4052
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Persistent authentication for wearable devices

Is persistent authentication for wearable devices compliant with the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4049
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Applicability of Strong Customer Authentication (SCA) to existing recurring payments solutions

Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4048
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Review of security measures

When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4047
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/08/2019

Transaction Risk Analysis (TRA) exemption – Frequency of recalculation of fraud rate

Should the fraud rate, in accordance with Article 19 of the RTS, be recalculated every day using the trailing 90 days of data, or should it be recalculated once every 90 days (using the trailing 90 days of data)? If the fraud rate should be recalculated once every 90 days (using the trailing 90 days of data), can the calculation periods be aligned with calendar quarters? (e.g. the fraud rate for use during Q1 2020 (01-Jan-20 to 31-Mar-20) would be based on fraud data for Q4 2019 (01-Oct-19 to 31-Dec-19).

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4045
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Transaction Risk Analysis (TRA) exemption – Time period for calculation of initial fraud rate

What is the relevant time period to use when calculating the initial fraud rate for use when the Strong Customer Authentication (SCA) comes into force?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4044
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/11/2019

Calculation of fraud rates in relation to Exemption Threshold Values (ETVs)

Is it acceptable to calculate the fraud rate for the application of the TRA exemption per ETV band?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4043
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018