Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Adjustments due to IFRS 9 transitional arrangements included in RWAs and interaction with validation rule v3689_s in template C5.01.

In template C5.01 validation rule v3689_s states that R010 C040 cannot be negative, should R010 C040 be excluded from this validation rule?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4189
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 12/07/2019

Information to be provided / made available by ASPSP to payment initiation service provider (PISP)

In the context of PIS:(a) shall the ASPSP, upon initiation of the payment session, provide or make available to the PISP the IBANs/account numbers for all payment accounts from which the user can transfer funds, and the associated currencies; and(b) shall the ASPSP, in each communication session, provide or make available to the PISP/AISP the name of the payment service user that is accessing the accounts.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4188
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 10/05/2019

Aggregated first loss under credit insurance

Is the requirement in Article 213(1)(b) CRR met in case of a credit insurance whose contractual terms provide that the institution shall bear a first loss, which is calculated at aggregate level with regard to several different exposures?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4184
  • Topic: Credit risk
  • Date of submission:
  • Published as final Q&A: 26/02/2021

Application of limits for Strong customer authentication (SCA) exemption

How should payment service providers (PSPs) apply the cumulative limits set in Articles 11 and 16 of the RTS on strong customer authentication and secure communication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4182
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

The Implementation of the electronic communications exclusion in the voiced-based premium rate services market

Considering the organisation of the voiced-based premium rate services market, and considering the interpretations proposed for the electronic communications exclusion (ECE) in the different countries, as far as a payment transaction complies with the conditions imposed by the ECE, does the ECE apply to the whole value chain, and therefore, all the providers of electronic communications networks or services involved in payment transactions covered by the ECE should not have to register as payment institutions or agents for these operations?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4181
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/09/2019

Application of SCA when a PSU accesses payment transactions data older than on the last 90 days, without having access to sensitive payment data and for a period of 90 days after the last access using SCA

Could Payment Service Providers (PSPs) be allowed to choose between applying SCA(Strong Customer Authentication) or not when a PSU (Payment Service User) accesses payment transactions data older than on the last 90 days without having access to sensitive payment data and for a period of 90 days after its last access using SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4177
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/11/2018

Operation and security risk assessment of a branch of a credit institution

Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment - is it the competent authority of the host or the home Member State?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17
  • ID: 2018_4176
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Interpretation of 'Active request for account information'

How should 'active request for account information' by a Payment Service User (PSU) be interpreted the wording of article 36(5)(a)(b) of the RTS SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4172
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Home / host cooperation

Should banks notify only National Competent Authorities (NCAs) of the home Member State when they use Strong customer authentication (SCA) exemptions on Secure corporate payment processes and protocols  (Article 17 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication) and Transaction risk analysis (Article 18 of the Delegated Regulation)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4170
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Breakdown of exposures by residual maturity

In the template C 33.00 breakdown of total exposures by residual maturity is required (rows 170 - 230). However from instructions it is not clear into which time bucket following exposures should be classified: - exposures at default - exposures without residual maturity - past due exposures.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4164
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 10/05/2019

Fall back exemption

Article 33, § 6 of the RTS for strong customer authentication and common and secure open standards of communication (the “RTS”) provides that “Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism […]” (the “fall back exemption”). a) Which authority - the home authority or the host authority ?- is the compentent authority under article 33, § 6 of the RTS, when the “fall back exemption request” concerns the dedicated interface used in a Member state where a branch of the ASPSP is located? b) Does the answer differ if the same dedicated interface is used in the home member state and in the host member state where a branch is located?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4163
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Treatment of purchase price discount or specific credit risk adjustment in the determination of the maximum risk weight for senior securitisation positions using the look through approach where the SEC-IRBA method is used to determine the risk weight of the securitisation position.

How should the purchase price discount or specific credit risk adjustment be taken into account to allow institutions to assign the senior securitisation position a maximum risk weight equal to the exposure weighted-average risk weight that would be applicable to the exposures as if the underlying exposures had not been securitised when an institution uses the SEC-IRBA method to risk weight the securitisation position (Article 267(1) and (2) as amended by Regulation (EU) 2017/2401).

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4161
  • Topic: Securitisation and Covered Bonds
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

PD Calibration Sample

Given the definition of PD calibration provided in EBA/GL/2017/16 section 2.4 paragraph 8, and the requirements for the calibration sample provided in section 5.3.5, paragraph 88 of the same guidelines, for developing a Through-the-Cycle (TTC) model, under which conditions it is mandatory to adopt the current portfolio or a multi-year snapshots as calibration sample? And consequently should the calibration testing in validation phase verify the alignment between the Central Tendency and the PD estimations on recent portfolio snapshot or multiyear sample?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/16 - Guidelines on PD estimation, LGD estimation and the treatment of defaulted exposures
  • ID: 2018_4159
  • Topic: Credit risk
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Calculation of the number of directorships held (privileged counting of mandates).

How should the mandates be counted in a situation where one person is an active board member in several connected (through IPS, group or qualified holdings) credit institutions and the privileged counting of mandates shows different results depending on the perspective from which the mandates are counted? Especially how the mandates should be counted where there is more than one notifying institution, in particular where the institutions are connected through qualified holdings? How should such a situation be resolved in cases where different competent authorities (in more than one Member State and / or the ECB) are involved?

  • Legal act: Directive 2013/36/EU (CRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4158
  • Topic: Internal governance
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Profit or loss on de-recognition of investment in subsidiaries, joint ventures and associates

Under IFRS, where in table F02 should “the gains or losses on de-recognition of investment in subsidiaries, joint ventures and associates” be recorded when they are neither classified (prior to the selling ) as “non-current assets and disposal groups classified as held for sale” nor their sale is considered a “discontinued operation” under IFRS5?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4156
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Responsibility of national authority with regards to audit reports

Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4155
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of Security Measures - Auditors expertise

Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4153
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of the security measures: Audit report

Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?If a separate report should be used: Are there any templates available for reporting?Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4152
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Credit value date for payment transactions with currency conversion

As a credit entry on an account is possible only in the currency the account is maintained, does this mean that for a payment transaction the credit value date for the payee's account is no later than the business day on which the amount in the payee's account currency is credited to the payee's payment service provider's account?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4150
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 12/03/2021