Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Liability for fraud when SCA exemption used

Who is liable for fraud on Strong Customer Authentication (SCA) exempted transactions? Which payment service provider (PSP) is liable (payer’s or payee’s) when both PSPs choose to trigger an exemption to SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4042
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/07/2019

Display of incorrect authentication factors in case of failed authentication attempts

For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4041
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Currency conversion of the EUR thresholds contained in the RTS

May payment service providers (PSPs) and card schemes set rounded and easily understandable non-EUR currency equivalents for the EUR thresholds set out in the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4040
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Qualification of SMS OTP as an authentication factor

Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4039
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Applicability of the low-value contactless exemption to contactless-only devices

For contactless-only devices that (1) do not have a contact interface and (2) do not support on-device authentication, may the counters for the application of the low-value contactless exemption be reset through an out-of-band mechanism such as a mobile phone application?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4038
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/01/2019

Application of the low-value contactless exemption – Calculation of limits at Primary Account Number (PAN) / account level or at device / token level

May the counters for the application of the low-value contactless exemption be calculated at device/token level?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4036
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption by authorized PSPs other than the issuer and the acquirer

May an authorized PSP other than the issuer and acquirer apply the TRA exemption on the basis of its own fraud rate and risk analysis?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4035
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Criteria for the application of the transaction risk analysis (TRA) exemption – Relevant fraud rates

Is only the Payment Service Provider (PSP) applying the TRA exemption required to have a fraud level below the reference fraud rate?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4034
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption at the level of individual brand, product or scheme

May a PSP calculate its fraud rate at the level of individual brand, product or scheme?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4033
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Criteria for the application of the transaction risk analysis (TRA) exemption – Fraud rate calculation methodology for the application of the TRA exemption

Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4032
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/12/2018

Applicability of SCA to ‘card payments initiated by the payee only’

Are card payments that are initiated by the payee only on the basis of (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services, subject to the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4031
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Geographical scope of application of the RTS on strong customer authentication (SCA) and secure communication requirements – ‘Two-leg’ transactions

Is it necessary that issuer, acquirer, cardholder and merchant be all located in the EEA for the RTS on SCA requirements to apply to two-leg transactions?May the issuer use the merchant’s location as a proxy (in lieu of the acquirer’s location)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4030
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/09/2019

Calculation of the ratio between fixed and variable components of the total compensation.

Do credit institutions have to include in the ratio between fixed and variable components of the total compensation the actual value of the amount of early retirement that will be paid out over a period of 5 years subject to a non-competition clause?

  • Legal act: Directive 2013/36/EU (CRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/04 - Guidelines on sound remuneration policies under CRD (repealing EBA/GL/2015/22)
  • ID: 2018_4027
  • Topic: Remuneration
  • Date of submission:
  • Published as final Q&A: 18/01/2019

Synthetic securitisation of undrawn revolving credit facilities

In a synthetic securitisation of undrawn revolving credit facilities (“RCF”), which is compliant with Article 245 of Regulation (EU) No 575/2013 as amended by Regulation (EU) 2017/2401, what is the EAD that should be considered inside the securitisation (which will subject to the risk weighting according to the securitisation framework) and what is the EAD that should be considered outside the securitisation (which will continue to be risk weighted according to the approved IRB model for such exposures)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4025
  • Topic: Securitisation and Covered Bonds
  • Date of submission:
  • Published as final Q&A: 19/07/2019

Separate IMA approval or summation approach for market risk OFR at consolidated level

Assuming that a parent institution does not have permission by the competent authorities to use the Internal Models Approach (IMA) on consolidated level, but(i) it has the permission to use the IMA on individual level and/or one (or several) of its subsidiaries have the permission to use the IMA on individual level or (ii) it has no permission to use the IMA on individual level and only one (or more) subsidiaries have the permission to use the IMA on individual level.Question 1:Is the parent institution compliant with the requirements of the CRR (in particular Articles 11 and 363(2) thereof) if it calculates the own funds requirements for market risk on consolidated level by summation of (i) the individual VaR, sVaR (and where applicable IRC and CRM) where IMA permission on individual level has been granted; and(ii) the own funds requirements according to the standardised approaches for market risk in accordance with Chapters 2, 3 and 4 of Title IV of Part Three of the CRR for consolidated entities which do not have IMA permission?Question 2: Does the assessment depend on whether permission has been granted for the consolidating parent entity on individual level?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4021
  • Topic: Market risk
  • Date of submission:
  • Published as final Q&A: 29/11/2019

Exposure treatment for trades with Specific Wrong-Way risk

In the Q&A 2016_2590, EBA indicates that "Article 291 CRR only applies to the internal model method (IMM) for CCR. It has to be noted that for these kind of trades, special exposure treatment is required according to Article 291(5)(b)-(f) CRR". However, last paragraph of article 273 of CRR indicate that "For the methods set out in Sections 3 to 6, institutions shall treat transactions where specific wrong way risk has been identified in accordance with Article 291(2), (4), (5) and (6) as appropriate". It seems, consequently, that article 291 of CRR (included article 291 (5) (b) - (f)) should also be applied to Mark-to market method (section 3), to Original exposure method (section 4) and to Standardized method (section 5). Could you please confirm ?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4020
  • Topic: Credit risk
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Pre IFRS 9 Finrep - Template F07.00 reporting values as net or gross

Should the values reported in (pre IFRS9) Finrep template F07.00 columns 010-070, be on a gross or on a net basis?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4015
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Retail Classification

Retail classification if an obligor has exposure under both the STA and IRB approach. This question is relevant for banks that are partially using the SA and partially using the IRB approach and where the use of the different methods is on the basis of the product type i.e. mortgages are under IRB, other Retail loans under SA. Article 123 allows for the exclusion of exposures fully and completely secured on residential property that have been assigned to the exposure class laid down in point (i) of Article 112 (exposures secured by mortgages on immovable property) when calculating the total amount owed the institution.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4012
  • Topic: Credit risk
  • Date of submission:
  • Published as final Q&A: 09/10/2020

Finrep validation rules of F 02.00 and F 16.01

In report F_16.1 the income is broken down by Derivatives - Trading ; Debt securities; Loans and advances and Other assets. In report F_02 the income is broken down by Accounting portfolio and Other assets so we believe rule v5598_i may not alwasy be true. The same logic is also for liabilities therefore rule v5601_i may not always be true.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4009
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 15/03/2019

Clarifying the Impact of the new securitisation framework on template C 14.00

The ITS clearly states that securitisation calculated according to the new reporting Framework won't be reported in templates C 12.00 and C 13.00 but only in template C 02 00."Securitisations the risk weighted exposure amount of which is determined based on Regulation (EU) No 575/2013 as amended by Regulation (EU) 2017/2401 (amended CRR), i.e. where the risk-weighted exposure amount is calculated in accordance with the revised securitisation framework, shall not be reported in this template, but only in template C 02.00. Equally, securitisation positions which are subject to a 1250% risk weight in accordance with the amended CRR and which are deducted from CET1 in accordance with Article 36(1) point (k) (ii) of the amended CRR, shall not be reported in this template, but only in template C 01.00"For exposures calculated with this new Framework as report C 12.00 and C 13.00 are not relevant anymore, we were wondering if columns like c170/ c180 of template C 14.00 should always be filled?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Draft ITS on Supervisory Reporting of Institutions
  • ID: 2018_4005
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 15/03/2019