Single Rulebook Q&A

Question ID: 2018_4155
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 3
Subparagraph: NA
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 3 / Paragraph 3
Type of submitter: Accounting firm
Subject matter : Responsibility of national authority with regards to audit reports
Question:

Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?

And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?

Background on the question:

In Article 3 paragraph 3 it is mentioned that "The entire report shall be made available to competent authorities upon their request". This does not directly state that each report will be monitored by the competent authorities. It is not clear what the rationale behind this is (why would some reports not be requested and monitored by the competent authorities?).

 

 

Date of submission: 23/07/2018
Published as Final Q&A: 26/10/2018
EBA answer:

As stated in Article 3 of the Commission Delegated Regulation (EU) 2018/389, the audit “report shall be made available to competent authorities upon their request”. Competent authorities will therefore establish whether or not they wish to request such a report. In addition, whether or not the competent authority is involved, and similar to any type of audit report, every payment service provider is expected to act on significant findings and weaknesses identified to ensure those are adequately addressed. The payment service provider may also wish to proactively inform the competent authority.

Status: Final Q&A
Permanent link: link