Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17
Disclose name of institution / entity:
Type of submitter:
Competent authority
Subject Matter:
Operation and security risk assessment of a branch of a credit institution

Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment - is it the competent authority of the host or the home Member State?

Background on the question:

Article 95, paragraph 2 of the PSD 2 states that Member States shall ensure that payment service providers provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks. Further clarifications on the content of the assessment are provided in Guideline 3 of the Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) (EBA/GL/2017/17).

The supervision of the operational and security risk management is closely linked to the reporting of major operational and security incidents. Guideline 4 of the EBA Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (EBA/GL/2017/10) requires payment service providers to ensure that their general operational and security policy clearly defines all the responsibilities for incident reporting under PSD2. For the purpose of major incidents reporting, article 96, paragraph 1 of PSD 2 explicitly states that payment service providers shall notify the competent authority in the home Member State of the payment service provider. The operational and security risk assessment should be evaluated, among other things, in the light of the major incidents received from the same PSP. We consider that it is not in line with provisions of the PSD 2 to have different competent authorities with regard to the assessment of the operational and security risks and the reporting of major incidents of the same payment service provider.

Date of submission:
Published as Final Q&A:
Final Answer:

The risk assessment foreseen under Article 95(2) of PSD2 and Guideline 3 of EBA Guidelines on security measures for operational and security risks under PSD2 (EBA/GL/2017/17) refers to payment service providers. There is no distinction for branches and therefore no separate risk assessment is needed. However, in the event the risk assessment from branches deviates from that of the licensed payment service provider, it should be made clear in the referred risk assessment. The general principle of the competence of the home Member State for credit institutions, payment and e-money institutions applies. This means that such assessments should be submitted to the home Member State.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Note to Q&A:

The topic of this Q&A was changed from “Security measures for operational and security risks” to “Strong customer authentication and common and secure communication (incl. access)” on 15.12.2022.