Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4068
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4120
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Access by AISPs when customer not present up to 4 times in a 24 hour period

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4210
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4238
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Consent for the provision of PIS and AIS

Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4309
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Large exposures - treatment of connected clients principle on exposures to other group entities outside prudential scope of consolidation

What treatment is envisaged in the context of connected clients for multiple exposures to multiple entities that are part of the same economic group, but are not included in the scope of prudential consolidation? Are these considered to be an exposure to the same (connected) client?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_3665
  • Topic: Large exposures
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Credit Risk on Gold Bullion

Under Article 134(4) CRR, what would the risk weight be if gold bullion is held on our behalf by other institutions and where such investment is not backed by gold bullion liabilities?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2017_3649
  • Topic: Credit risk
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Reclassification of own funds instruments from a grandfathered category to a fully eligible category and purpose of grandfathering provisions

Is it permissible for an institution, and if so under which circumstances and/or criteria, to reclassify own funds instruments from a grandfathered category to a fully eligible category in particular in a context where no change in the relevant applicable laws or terms and conditions of the reclassified instruments has taken place before the reclassification? Would the answer be the same for a reclassification of own funds instruments from a disqualified category to a fully eligible category?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4417
  • Topic: Own funds
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Operation and security risk assessment of a branch of a credit institution

Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment - is it the competent authority of the host or the home Member State?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17
  • ID: 2018_4176
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments

Is Article 17 of Regulation (EU) 2018/389 applicable for the payer’s Payment service provider (PSP) for card-based payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4239
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Interpretation of 'Active request for account information'

How should 'active request for account information' by a Payment Service User (PSU) be interpreted the wording of article 36(5)(a)(b) of the RTS SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4172
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Major incidents reporting

Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10
  • ID: 2018_4144
  • Topic: Major incidents reporting
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Applicability of Strong Customer Authentication (SCA) to existing recurring payments solutions

Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4048
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Reporting of financial asset sales and write-offs in FINREP template F 02.00

How should financial asset (e.g. loan portfolio) sales and write-offs be reported in the template F 02.00 (Statement of profit or loss)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3716
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Criteria for the application of the transaction risk analysis (TRA) exemption – Fraud rate calculation methodology for the application of the TRA exemption

Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4032
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/12/2018

Deferral of variable remuneration in instruments

Does a credit institution have the obligation to hold the instruments (as shares, for example) during the deferral period of variable remuneration in instruments?

  • Legal act: Directive 2013/36/EU (CRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/04 - Guidelines on sound remuneration policies under CRD (repealing EBA/GL/2015/22)
  • ID: 2018_3815
  • Topic: Remuneration
  • Date of submission:
  • Published as final Q&A: 23/11/2018

Treatment of a securities lending and borrowing service with regard to the LCR / Traitement d’un service de prêt et d’emprunt de titres en ce qui concerne le ratio de couverture des besoins de liquidité

What is the treatment of a securities lending and borrowing service with regard to the LCR?***FR:Quel est le traitement accordé au ratio de couverture des besoins de liquidité pour un service de prêt et d’emprunt de titres?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Delegated Regulation (EU) 2015/61 - DR with regard to liquidity coverage requirement
  • ID: 2015_1962
  • Topic: Liquidity risk
  • Date of submission:
  • Published as final Q&A: 09/11/2018

FINREP. Validation rule v5468_m

Is validaton rule v5468_m correct?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3884
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 09/11/2018