List of Q&As

Weighted average of the CCF

Internal authorized EAD models may calculate the EAD by means of several parameters, since the exposure behavior could be explained by different factors. Considering that this type of EAD internal model does not estimate a unique CCF, but rather several factors that are applied to different exposure components, the consequent approach implemented to report the CCF in Template C.101 ,C102 and C.103 has been the following: include in the field as per C.100 in Annex IV the parameter that, in the internal EAD formula, is applied to the undrawn amount, in line with the weights that shall be used to compute the average of the CCF at counterparty/portfolio level, according to the provision reported in Annex IV which make reference to art. 166, par 8 of CRR. Please confirm that this approach is in line with the provision set in ITS as for Annex IV C.100.

Legal act: Directive 2013/36/EU as amended by Directive (EU) 2019/878 (CRD5)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Draft ITS on Supervisory Reporting of Institutions (for benchmarking the internal approaches)

ID: 2020_5368| Topic: Supervisory reporting - Supervisory Benchmarking| Date of submission: 15/07/2020

SCA requirements with dynamic linking for mobile initiated credit transfers (MSCTs)

Can mobile initiated credit transfers (MSCTs) solutions whereby a proximity technology (e.g. NFC, QR-code, BLE, etc.) is used for the exchange of payer identification data between the payer’s mobile device and the payee’s payment terminal but a mobile network is used (e.g. by a dedicated app) on the payer’s mobile device for the payer authentication, be considered as a proximity payment whereby strong customer authentication (SCA) may apply without requiring dynamic linking?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5367| Topic: Other topics| Date of submission: 14/07/2020

The implementation of commercial agent exclusion for B2C e-commerce platforms

In what situation a business-to-consumer (B2C) e-commerce platform can be subjected to the exclusion foreseen in Article 3 (b) from PSD2?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5355| Topic: Other topics| Date of submission: 06/07/2020

The implementation of commercial agent exclusion for e-commerce platforms

Should the settlement of the debt by an e-commerce platform be considered a sufficient reason to exclude the e-commerce platform from the scope of PSD2 or an indispensable requirement for a commercial agent mandate?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5354| Topic: Other topics| Date of submission: 06/07/2020

On the requirements for 'inherence' in strong customer authentication (SCA)

Do the elements required for ‘inherence’ in strong customer authentication (SCA) provide the complete authentication or can they form a part of an authentication decision with some non-biometric elements and still satisfy the inherence condition, for example, as one element of a user profile of several elements. For example, if the biometric, say keystroke dynamics, provides 50% of the decision and other characteristics (e.g. device data, location data) provide the other 50%, does this satisfy the requirement for inherence assuming the condition for 'very low probability of unauthorised access' is also satisfied and that another SCA condition, 'knowledge' or 'possession' is also satisfied? if so, is there a threshold, say 50%, below which it ceases to qualify as 'inherence'?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5353| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 06/07/2020

Customer data transfer to Member States for the purpose of supervision

Does the phrase “data related to their customers” under Article 6 of the Delegated Regulation refer to personal customer data (as defined by EU Regulation 2016/679) or general data for management purposes (e.g. descriptive statistics on the number of customers, customer risk distribution, etc.)?

Legal act: Directive (EU) 2015/849 (AMLD)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries

ID: 2020_5350| Topic: Third country policy| Date of submission: 02/07/2020

Disclosure of information within the group related to suspicious activity reports (SARs) to the competent authorities

Does the requirment under Article 5 of the Delegated Regulation refer to the sharing of information on the underlying data of the Suspicious Activity report (SAR) (e.g. transactions, customer data) without disclosing whether the SAR was filed and sent to the local authorities of the third country?

Legal act: Directive (EU) 2015/849 (AMLD)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries

ID: 2020_5349| Topic: Third country policy| Date of submission: 02/07/2020

Retroactivity concerning customer consent for data sharing and processing

Is there the expectation that such consent clauses, under Article 4 of the Delegated Regulation, be incorporated into contracts on a go-forward basis from the date the Regulation entered into force (i.e. with new customers and existing customer contract renewals) or is there the expectation that all existing customer contracts will be remediated to meet this requirement? What approach should be used with former customers?

Legal act: Directive (EU) 2015/849 (AMLD)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries

ID: 2020_5348| Topic: Third country policy| Date of submission: 02/07/2020

Scope and application of the RTS on implementation of group wide AML/CFT policies in third countries

How do you define a) a subsidiary and b)  a financial institution, for the purposes of the Delegated Regulation?

Legal act: Directive (EU) 2015/849 (AMLD)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries

ID: 2020_5347| Topic: Supervision| Date of submission: 02/07/2020

PD-/PD+ for RWA-/RWA+

Are PD-/PD+ calculated separately for each of the (sub)portfolios listed in Annex 4, or are the PD-/PD+ values obtained for a client/exposure to be used consistently and unchanged for all (sub)portfolios?

Legal act: Directive 2013/36/EU as amended by Directive (EU) 2019/878 (CRD5)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2016/2070 - ITS on Supervisory Reporting (for benchmarking the internal approaches) (as amended)

ID: 2020_5339| Topic: Supervisory reporting - Supervisory Benchmarking| Date of submission: 30/06/2020

How to use bank guarantees instead of PII

Is it acceptable to use third party (other than credit institutions) commitments that are covered by a guarantee from a credit institution as a comparable guarantee instead of professional indemnity insurance (PII)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance

ID: 2020_5335| Topic: Monetary amount of the professional indemnity insurance| Date of submission: 27/06/2020

Calculation of fraud rates excluding transactions based on the liability

May a Payment Service Provider (PSP) exclude all fraudulent transactions for which it is not liable ? As a concrete example: May an acquirer PSP exclude all fraudulent transactions for which the issuer PSP is liable (such as 3DS v1 authenticated transactions) ?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5332| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 26/06/2020

Definition of a financial institution as regards the application of the Delegated Regulation

Is an institution, that is a subsidiary of a holding company which, in turn, owns several financial subsidiaries, not considered as a group for the purposes of the Delegated Regulation, since their parent company does not fall within the definition of a financial entity set out in Article 3 of Directive (EU) 2015/849 (AMLD)?

Legal act: Directive (EU) 2015/849 (AMLD)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/758 – RTS on implementation of group wide AML/CFT policies in third countries

ID: 2020_5310| Topic: Third country policy| Date of submission: 17/06/2020

Safeguarding

Are payment institutions able to simultaneously adopt different safeguarding methods with respect to funds held?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5264| Topic: Authorisation and registration| Date of submission: 19/05/2020

Access to account for FinTech Solutions that incorporate regulated services

Do FinTech companies offer payment accounts by their use of regulated services as part of their offering and are they therefore required to provide access to accounts to Third Party Providers (TPPs)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5249| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 13/05/2020

Clarification of remote payment for dynamic linking

Is a SEPA Credit Transfer (SCT) transaction, whereby a user mobile phone interacts locally via Near Field Communication (NFC) with a merchant payment terminal to initiate the SCT transaction, whereby the user mobile phone does not communicate remotely over a mobile network for this purpose but whereby the payment terminal connects on-line to a payment system and handles the required strong customer authentication (SCA) through this on-line channel, considered an electronic remote payment transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5247| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 12/05/2020

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5224| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 29/04/2020

Money Remittance

Where an entity accepts payment on behalf of a payee (such as a debt collector and the debt due to the payee is extinguished upon receipt of payment by the debt collector), is it correct to say that this does not constitute Money Remittance? (i.e. there is no need to rely on the commercial agency exemption since there is no payment service being provided). In addition, if there is no Money Remittance in this situation, can the same be said if the entity receives money into one account then pays these monies to a second account in its name,before transferring the money to the relevant payee? If this is Money Remittance, can the commercial agency exemption be relied on where an entity receives monies but then transfers them to another account held by it before then transferring to the relevant payee?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5216| Topic: Authorisation and registration| Date of submission: 21/04/2020

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call?2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5215| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 21/04/2020

Cash received or security retained on the balance sheet in SFT transactions

C47 report ITS report guidelines mention under Row 010 as per heading that SFT exposures according to CRR 429 (5) and 429 (8) 429 (5) “repurchase transactions, securities or commodities lending or borrowing transactions, long settlement transactions and margin lending transactions shall not be netted.” 429 (8) “institutions may determine the exposure value of cash receivables and cash payables of repurchase transactions, securities or commodities lending or borrowing transactions, long settlement transactions and margin lending transactions with the same counterparty on a net basis only if all the following conditions are met” As per the above, if cash legs netting is not done, Repo exposure value as per article 111, is the security owned by the institution and under repo transaction is to be reported. There is no netting of repo positions. But in the report guidelines, it is mentioned that “Institutions shall not include in this field cash received or any security that is provided to a counterparty via the aforementioned transactions and is retained on the balance sheet (i.e. the accounting criteria for derecognition are not met). Institutions shall instead include those items in {190, 1}. “ The guidelines appear a little contradictory as on the top, they say exposure value of repurchase transactions are to be reported here. Again, they mention that cash received or any security retained on the balance sheet that are provided in the repurchase transactions are not to be reported here. Presuming that no cash receivables and cash payables are not eligible for in terms of CRR guidelines, what are the positions to be reported in the cells Row 010 and Row 190 There is same issue in C40 report between Row 070 (SFTs covered under master netting agreement), Row 080 (SFTs not covered under master netting agreement) and Row 090 (other assets). While SFTs accounting balance sheet values are to be reported in Row070 and Row080, the ITS guidelines state that cash received or any security retained on the balance sheet that are provided in the repurchase transactions are not to be reported in Row 070 and Row080 but to be reported in Row 090 under other assets. It is not clear as cash received in a repo transaction/security lending transaction is a liability and not exposure and how is treated as asset for leverage ratio reports. For example, 1 scenario If institution have 3 repo and reverse repo transactions with a counterparty and there is no bilateral master netting agreement 1. ABC institution does a repo transaction with security (retained on the balance sheet) value of Euro 100 and obtains a loan 80 from XYZ institution. 2. ABC institution does a repo transaction with security (not retained on the balance sheet) value of Euro 200 and obtains a loan of Euro 150 from XYZ Institution 3. ABC institution does a reverse repo transaction and provides a loan of Euro 120 against a security of Euro 200 from DEF institution. In these transactions exposure value for CCR purposes repo and reverse repo exposure positions are Euro 100 and Euro 120 only The collaterals will be Euro 80 and Euro 200. Please clarify which positions are to be reported in C47 in Row 010 and Row 190 and in C40 in Row 080 and Row090. Request for our information if cash receivables and cash payables netting is allowed how the reporting changes.

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Delegated Regulation (EU) 2015/62 - DR with regard to the leverage ratio

ID: 2020_5195| Topic: Supervisory reporting - Leverage ratio| Date of submission: 01/04/2020