Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Responsibility of national authority with regards to audit reports

Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4155
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

On the access to trusted beneficiaries lists (RTS Art 13) by TPPs in write mode

Do the TPPs have the right to access trusted beneficiaries lists in write mode?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4076
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Accessing payment account online in web browser shall exceed not 5 minutes without acitvity

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4065
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

EMV cards and EMV terminals supporting online authentication

Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4052
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption by authorized PSPs other than the issuer and the acquirer

May an authorized PSP other than the issuer and acquirer apply the TRA exemption on the basis of its own fraud rate and risk analysis?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4035
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of the security measures: Audit report

Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?If a separate report should be used: Are there any templates available for reporting?Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4152
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of Security Measures - Auditors expertise

Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4153
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Small bank: bail-in or liquidation

Should the resolution authority assess the possibility of bail-in even for a small non-systemically important institution without critical function before making a decision about liquidation?Please specify whether in the scope of Article 31(2)(e) "client funds and client assets" should be included also moneys of bank's depositor (creditor) exceeding the covered deposit?

  • Legal act: Directive 2014/59/EU (BRRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2015_2191
  • Topic: Resolution objectives and triggers
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Obligatory nature of the SCA and exemption based on transaction risk analysis

Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4089
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/10/2018

Article 473a(2) – Consideration of accounting provisions for FVOCI debt instruments

Should the ECL on debt instruments classified at fair value through OCI under IFRS9 be included within the calculation of the amount to be added back to CET1 as set in Article 473a.2 ( “static approach”)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_3932
  • Topic: Accounting and auditing
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Does transaction monitoring need to be real time?

Article 2(1) of the RTS stipulates that "payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions…" and Article 2(2) explains the minimum requirements.However, Article 2 does not specify timing aspects of the transaction monitoring.Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4090
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Qualification of SMS OTP as an authentication factor

Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4039
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Display of incorrect authentication factors in case of failed authentication attempts

For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4041
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Inconsistencies in validation rules v1974_h, v5447_m, v5475_m and v5443_m

Whilst implementing DPM 2.7 we ran into some inconsistencies in the validation rules. The inconsistencies are caused by the validation rules as mentioned below. eba_v1974_h [F 17.01 (c010)] {r231} = +{r232} + {r233} Issue: in dpm 2.7 row 380 for equity instruments was added in report F17.00 and is part of row 231 but is not part of the right side of the equation. eba_v5447_m {F 18.00.a, r180, c010} = sum({F 04.09, r140, (c010, c020)}) + sum({F 04.10, r190, (c010, c020)}) - sum({F 04.10, r190, (c015, c025)}) + sum({F 01.01, (r030, r040), c010}) Issue: in report F18.00 row 180 only contains debt securities and loans and advances, whereas in the F4.x reports equity instruments are included as well (here, report F4.08 reports equity instruments). Rule eba_v5475_m has the same issue eba_v5443_m [F 18.00.a] {F 18.00.a, r100, c010} = sum({F 04.09, r100, (c010, c020)}) + sum({F 04.10, r150, (c010, c020)}) - sum({F 04.10, r150, (c015, c025)}) + {F 01.01, r030, c010} In template 18, the amount is for credit institutions, whereas the {F 01.01, r030, c010} refers to cash at central banks. If the reference was to row 40 (other demand deposits) instead of 30, the calculation would add up The question is: How to handle these inconsistencies?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3858
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Follow-up to Q&A 2016_2609 - Template C 71.00

With reference to 2016_2609, please can you confirm whether the predominant currency in the rest of line means a) the predominant currency in the rest of the line provided by the counterparty providing the multi-currency facility or b) the predominant currency in the rest of the line provided by all counterparties?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3820
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Finrep. Validation rule v5443_m and others

Our opinion is that rule v5443_m has been wrongly implemented by the EBA. The formula is the following : {F 18.00.a, r100, c010} = sum({F 04.09, r100, (c010, c020)}) + sum({F 04.10, r150, (c010, c020)}) - sum({F 04.10, r150, (c015, c025)}) + {F 01.01, r030, c010} This rule seems to be designed for nGAAP reporters as in its formula there are some explicit references to F 04.09 and F 04.10 templates which are nGAAP reporters templates. The problem is the following : The last data point on the right hand side of v5443_m shall be in my humble opinion F 01.01, r040 and not F 01.01, r030. In the current implementation, the EBA is comparing loans and advance to credit institutions (F 18.00 row 100, col 010) with cash balances at central banks which does not make sense. v2776_m which is the same rule but this time designed for IFRS reporters seems to be correct as the last data point on the right hand side of the formula refers this time to row 040 : {F 18.00.a, r100, c010} = sum({F 04.04.1, r100, (c015, c030, c040)}) + {F 01.01, r040, c010} Could you please confirm that rule v5443_m has been wrongly implemented by the EBA?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3814
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Validation rule v3129_m (FINREP template 18 and 19 IFRS 9)

The validation rule v3129_m requires for template 19 FINREP for all rows (010;020;030;040;050;060;070;080;090;100;110;120;130;140;150;160;170;180;181;182;183;184;185;186;191;192;193;194;195;196;197;201;211;212;213;214;215;216;221;222;223;224;225;226;227;231;330) that column {F 19.00.a, c100 of which: Impaired (Non-performing (Forborne)} <= {F 18.00.a, c120 of which impaired (non performing). For most rows this validation rule is correct. But for the rows (211;212;213;214;215;216;221;222;223;224;225;226;227;231) the column 100 in template 19 and the column 120 in template 18 are both greyed out. Can you limit the validation rule v3129_m to the rows (010;020;030;040;050;060;070;080;090;100;110;120;130;140;150;160;170;180;181;182;183;184;185;186;191;192;193;194;195;196;197;201;330)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Draft ITS on Supervisory Reporting of Institutions
  • ID: 2018_3788
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Validation rule v2707_m (FINREP template 18 IFRS 9)

The validation rule v2707_m requires for template 18 FINREP for all rows (010;020;030;040;050;060;070;080;090;100;110;120;130;140;150;160;170;180;181;182;183;184;185;186;191;192;193;194;195;196;197;201;211;212;213;214;215;216;221;222;223;224;225;226;227;231;330) that column c120 of which impaired should be <= c060 Total non-performing. For most rows this validation rule is correct. But for the rows (211;212;213;214;215;216;221;222;223;224;225;226;227;231) the column 120 is greyed out. Can you limit the validation rule v2707_m to the rows (010;020;030;040;050;060;070;080;090;100;110;120;130;140;150;160;170;180;181;182;183;184;185;186;191;192;193;194;195;196;197;201;330)?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Draft ITS on Supervisory Reporting of Institutions
  • ID: 2018_3787
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

2.7 - Incorrect rules v0985_m and v0986_m

Validation rules v0985_m and v0986_m are incorrect in the taxonomy 2.7.0.1. They refer to columns 022 and 025 however these columns are greyed in the template F 20.04.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3723
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Discrepancies between annotated table layout and EBA validation rules (e.g. v5351_m)

1) Are the columns 011, 012, 022 and 025 of template F 20.04 in the annotated table layout (FN1) not intended to be subsets of column 010, meaning that a limitation on ‘other than held for sale’ in column 010 would indicate the same limitation for the ’of-which’ columns?2) If there is a limitation on ’other than held for sale’ in template F 20.04, column 010, does this limitation not contradict the above mentioned validation rule v5351_m, if the same limitation is not indicated in template F 06.01? The same problem occurs for validation rules v5350_m, v5353_m, v5725_m, v6054_m, v6055_m, v6056_m, v6057_m, v6058_m and v6059_m (FN2).Foot notes:FN 1: DPM table layout and data point categorisation updated 27 April 2017FN 2: Validation rules updated 08 December 2017 

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (repealed)
  • ID: 2018_3670
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as final Q&A: 05/10/2018