Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Breakdown of exposures by residual maturity

In the template C 33.00 breakdown of total exposures by residual maturity is required (rows 170 - 230). However from instructions it is not clear into which time bucket following exposures should be classified: - exposures at default - exposures without residual maturity - past due exposures.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4164
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 10/05/2019

Fall back exemption

Article 33, § 6 of the RTS for strong customer authentication and common and secure open standards of communication (the “RTS”) provides that “Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism […]” (the “fall back exemption”). a) Which authority - the home authority or the host authority ?- is the compentent authority under article 33, § 6 of the RTS, when the “fall back exemption request” concerns the dedicated interface used in a Member state where a branch of the ASPSP is located? b) Does the answer differ if the same dedicated interface is used in the home member state and in the host member state where a branch is located?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4163
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Treatment of purchase price discount or specific credit risk adjustment in the determination of the maximum risk weight for senior securitisation positions using the look through approach where the SEC-IRBA method is used to determine the risk weight of the securitisation position.

How should the purchase price discount or specific credit risk adjustment be taken into account to allow institutions to assign the senior securitisation position a maximum risk weight equal to the exposure weighted-average risk weight that would be applicable to the exposures as if the underlying exposures had not been securitised when an institution uses the SEC-IRBA method to risk weight the securitisation position (Article 267(1) and (2) as amended by Regulation (EU) 2017/2401).

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4161
  • Topic: Securitisation and Covered Bonds
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

PD Calibration Sample

Given the definition of PD calibration provided in EBA/GL/2017/16 section 2.4 paragraph 8, and the requirements for the calibration sample provided in section 5.3.5, paragraph 88 of the same guidelines, for developing a Through-the-Cycle (TTC) model, under which conditions it is mandatory to adopt the current portfolio or a multi-year snapshots as calibration sample? And consequently should the calibration testing in validation phase verify the alignment between the Central Tendency and the PD estimations on recent portfolio snapshot or multiyear sample?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/16 - Guidelines on PD estimation, LGD estimation and the treatment of defaulted exposures
  • ID: 2018_4159
  • Topic: Credit risk
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Calculation of the number of directorships held (privileged counting of mandates).

How should the mandates be counted in a situation where one person is an active board member in several connected (through IPS, group or qualified holdings) credit institutions and the privileged counting of mandates shows different results depending on the perspective from which the mandates are counted? Especially how the mandates should be counted where there is more than one notifying institution, in particular where the institutions are connected through qualified holdings? How should such a situation be resolved in cases where different competent authorities (in more than one Member State and / or the ECB) are involved?

  • Legal act: Directive 2013/36/EU (CRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4158
  • Topic: Internal governance
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Profit or loss on de-recognition of investment in subsidiaries, joint ventures and associates

Under IFRS, where in table F02 should “the gains or losses on de-recognition of investment in subsidiaries, joint ventures and associates” be recorded when they are neither classified (prior to the selling ) as “non-current assets and disposal groups classified as held for sale” nor their sale is considered a “discontinued operation” under IFRS5?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4156
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Responsibility of national authority with regards to audit reports

Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4155
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of Security Measures - Auditors expertise

Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4153
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of the security measures: Audit report

Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?If a separate report should be used: Are there any templates available for reporting?Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4152
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Credit value date for payment transactions with currency conversion

As a credit entry on an account is possible only in the currency the account is maintained, does this mean that for a payment transaction the credit value date for the payee's account is no later than the business day on which the amount in the payee's account currency is credited to the payee's payment service provider's account?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4150
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Treatment of government bonds of a third country as Level 1 assets when the credit quality step 1 is assigned according to article 114(7) of Regulation (EU) 575/2013

Are the provisions of Article 114(7) of Regulation (EU) 575/2013 (use of the lower RW applied by a third country on exposures to the central government in case of equivalent supervisory and regulatory arrangements) applicable also to the LCR framework?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Delegated Regulation (EU) 2015/61 - DR with regard to liquidity coverage requirement
  • ID: 2018_4148
  • Topic: Liquidity risk
  • Date of submission:
  • Published as final Q&A: 18/01/2019

COREP Template C 25.00.Validation rule v0641_m.

In 2014, our National Competent Authority has clearly mentioned in the validation of the internal model of KCVA computation, that our institution determines the KCVA using the standard method for the below transactions: - Transactions out of the internal model EEPE perimeter - Transactions which are part of the eligible perimeter but, due to data quality issues, the EAD has been calculated in standard method. This justifies that for a counterparty which has expositions calculated in both standard and internal methods, we will have an advanced and standard CVA charge. In the COREP CVA template, we should state the number of counterparties calculated in advanced method (r020) and in standard method (r030), the sum of all counterparties should appear in r010. Related to eba_v0641_m, we remove the duplicates between the 2 calculation methods to fill the r010, in order to avoid the double counting of counterparties for which we have both of STD & ADV CVA. Knowing the fact that we can have the both methods for a given counterparty, should we report strictly the sum of r020 and r030? Or should we continue to consider the r010 as the sum of counterparties that generate KCVA, disregarding the calculation method used?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4146
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 15/03/2019

Non-CET1 Instruments absorbing losses at the same time as CET1 instruments

Article 28(1)(i) requires that "(i) compared to all the capital instruments issued by the institution, the instruments absorb the first and proportionately greatest share of losses as they occur, and each instrument absorbs losses to the same degree as all other Common Equity Tier 1 instruments;". Would it be permitted to have a non-CET1 instrument that absorbs losses at the same time as a proposed CET1 instrument, as long as they both absorbed losses (joint) first? And would it be permitted for a non-CET1 instrument to absorb losses to the same proportion as a proposed CET1 instrument, as long as they were both absorbing the same proportionate greatest share?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4145
  • Topic: Own funds
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Major incidents reporting

Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10
  • ID: 2018_4144
  • Topic: Major incidents reporting
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Closely correlated currencies

How to manage the closely correlated currencies according to Article 354(1) CRR under the standardised approach?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4142
  • Topic: Market risk
  • Date of submission:
  • Published as final Q&A: 08/05/2020

Authentication code

Is it allowed to use the (authenticated) session that a user has (after logging in (with or without SCA)) as 1 of the authentication factor when performing SCA for a payment transaction?For example: A customer logs in with its username & password (knowledge) + SMS One Time Password (possession). Once in his online banking environment he looks at his statements. Within that same session (that ends after 5 minutes inactivity) he makes a payment.The question is if for authenticating the payment it is required to perform SCA again or if the authenticated session (based on the previous authentication) and a second SMS One Time Password (possession) that dynamically links the payment would suffice.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4141
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/05/2019

ASPSP is denied the waiver to the fall-back by an NCA

If an Account Servicing Payment Service Provider (ASPSP) is denied the waiver to the fall-back by a National Competent Authority (NCA) (i.e. at 13 September 2019), will the ASPSP still have 2 months to build the fall-back?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4140
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/03/2019

Testing eIDAS certificates before 14 September 2019

How can Third Party Providers (TPPs) and Account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4138
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

SMS OTP and credit card as a two authentication factor

Can we consider Credit card and One Time Password (OTP) SMS as a two authentication factor ? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4135
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021