Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Treatment of government bonds of a third country as Level 1 assets when the credit quality step 1 is assigned according to article 114(7) of Regulation (EU) 575/2013

Are the provisions of Article 114(7) of Regulation (EU) 575/2013 (use of the lower RW applied by a third country on exposures to the central government in case of equivalent supervisory and regulatory arrangements) applicable also to the LCR framework?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Delegated Regulation (EU) 2015/61 - DR with regard to liquidity coverage requirement
  • ID: 2018_4148
  • Topic: Liquidity risk
  • Date of submission:
  • Published as final Q&A: 18/01/2019

COREP Template C 25.00.Validation rule v0641_m.

In 2014, our National Competent Authority has clearly mentioned in the validation of the internal model of KCVA computation, that our institution determines the KCVA using the standard method for the below transactions: - Transactions out of the internal model EEPE perimeter - Transactions which are part of the eligible perimeter but, due to data quality issues, the EAD has been calculated in standard method. This justifies that for a counterparty which has expositions calculated in both standard and internal methods, we will have an advanced and standard CVA charge. In the COREP CVA template, we should state the number of counterparties calculated in advanced method (r020) and in standard method (r030), the sum of all counterparties should appear in r010. Related to eba_v0641_m, we remove the duplicates between the 2 calculation methods to fill the r010, in order to avoid the double counting of counterparties for which we have both of STD & ADV CVA. Knowing the fact that we can have the both methods for a given counterparty, should we report strictly the sum of r020 and r030? Or should we continue to consider the r010 as the sum of counterparties that generate KCVA, disregarding the calculation method used?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4146
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 15/03/2019

Non-CET1 Instruments absorbing losses at the same time as CET1 instruments

Article 28(1)(i) requires that "(i) compared to all the capital instruments issued by the institution, the instruments absorb the first and proportionately greatest share of losses as they occur, and each instrument absorbs losses to the same degree as all other Common Equity Tier 1 instruments;". Would it be permitted to have a non-CET1 instrument that absorbs losses at the same time as a proposed CET1 instrument, as long as they both absorbed losses (joint) first? And would it be permitted for a non-CET1 instrument to absorb losses to the same proportion as a proposed CET1 instrument, as long as they were both absorbing the same proportionate greatest share?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4145
  • Topic: Own funds
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Major incidents reporting

Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10
  • ID: 2018_4144
  • Topic: Major incidents reporting
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Closely correlated currencies

How to manage the closely correlated currencies according to Article 354(1) CRR under the standardised approach?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4142
  • Topic: Market risk
  • Date of submission:
  • Published as final Q&A: 08/05/2020

Authentication code

Is it allowed to use the (authenticated) session that a user has (after logging in (with or without SCA)) as 1 of the authentication factor when performing SCA for a payment transaction?For example: A customer logs in with its username & password (knowledge) + SMS One Time Password (possession). Once in his online banking environment he looks at his statements. Within that same session (that ends after 5 minutes inactivity) he makes a payment.The question is if for authenticating the payment it is required to perform SCA again or if the authenticated session (based on the previous authentication) and a second SMS One Time Password (possession) that dynamically links the payment would suffice.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4141
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/05/2019

ASPSP is denied the waiver to the fall-back by an NCA

If an Account Servicing Payment Service Provider (ASPSP) is denied the waiver to the fall-back by a National Competent Authority (NCA) (i.e. at 13 September 2019), will the ASPSP still have 2 months to build the fall-back?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4140
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/03/2019

Testing eIDAS certificates before 14 September 2019

How can Third Party Providers (TPPs) and Account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4138
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

SMS OTP and credit card as a two authentication factor

Can we consider Credit card and One Time Password (OTP) SMS as a two authentication factor ? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4135
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Applicability of SCA to wallet solutions

Is a single Strong Customer Authentication (SCA) sufficient for transactions performed in staged wallet solutions? Does the funding transaction qualify as a transaction initiated by the payee only, which does not require SCA by the Account Servicing Payment Service Providers (ASPSP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4133
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/05/2021

Payee-initiated transactions with irregular period or variable amount

Please clarify whether standing agreements between a customer and a merchant resulting in subsequent billing (irregular or otherwise) to be payee-initiated transactions, and as such excluded from the SCA requirement.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4131
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Trusted Beneficiary exemption – Management of the exemption, information flows between PSPs in the payment transaction

For the seamless management of the Article 13 exemption, should ASPSPs provide a feature that: 1) informs Acquirers and PISPs whether the payee is included in the payer’s list of trusted beneficiary; and 2) allows Acquirers and PISPs to suggest new entries or amendments to a payer’s list of trusted beneficiaries?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4128
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/01/2019

Application of Transaction Risk Analysis (TRA) exemption – Real time risk analysis / monitoring

Is it acceptable if a payment service provider (PSP) looking to apply the TRA exemption makes a best effort using the information available to them to identify that none of the six individual factors mentioned in Article 18(2)(c) of the Commission Delegated Regulation 2018/389 are applicable, but does not have to actually identify non-applicability of all of these factors to be able to use the TRA exemption? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4127
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Explicit consent required by the ASPSP from the PSU to enable the PSU to use the services provided by TPPs / Consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP

May the requirement by the ASPSP for the PSU to give additional explicit consent in order to be allowed to use the services provided by TPPs, in addition to the consent given by the PSU to the TPP, be considered an ‘obstacle to the provision of payment initiation services and of account information services’ pursuant to Article 32 of the RTS?***IT:Puo’ un ulteriore consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP, in aggiunta al consenso prestato dal PSU al TPP, essere considerato un “ostacolo alla prestazione dei servizi di disposizione di ordine di pagamento e di informazione sui conti” ai sensi dell’Articolo 32 del RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4123
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/01/2019

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4120
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Sanctions list screening in the context of TPPs' services - risk management policy

Is the Account Servicing Payment Service Provider (ASPSP) obliged to recognise if a Third Party Payment Service Providers (TPP) is named on a sanctions list or even take some actions when the TPP becomes a designated entity? How the prohibition of directly or indirectly making funds or economic resources available to designated persons and entities is defined in this context?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4117
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Accumulated other comprehensive income in template C.01.00

Is the accumulated other comprehensive income in template C.01.00 the same amount than in row 090 in F.01.03? Is row 280 in F.01.03 also taken into account?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_4116
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

IFRS 9 Transitional arrangements - Definition of ‘t’

How should “t” which is used in the formulas in paragraph 1 of Article 473a CRR be calculated?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4113
  • Topic: Accounting and auditing
  • Date of submission:
  • Published as final Q&A: 03/08/2018

Data authentication standards

Does a non-remote card payment transaction with a secure, dynamic data authentication of the card (DDA or higher), based on ISO/IEC 7816 (for contact cards) and ISO/IEC 14443 (for contactless card) used with a static PIN meet the requirements of Article 4 of the RTS on Strong Customer Authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4110
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019

Scope of ‘initiation of an electronic payment transaction’

Does a card payment transaction, authenticated with a signature at the point of sale, fall under the scope of Article 97 (I) (b) PSD2? Is there a difference if the signature is provided on a paper or on a signature pad (e.g. electronic signature pad or signature capture at a payment terminal)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4108
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019