Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Classification of phishing-attacks as a reportable major ICT-related incident

Can individual phishing incidents that target the customers of a financial entity in their “private sphere” be subsumed under “compromises the security of the network and information systems” pursuant to Article 3 No. 8 of Regulation (EU) 2022/2554 and can they therefore constitute a major ICT-related incident that must be reported pursuant to Article 19 (1) of Regulation (EU) 2022/2554? 

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/1772 - RTS on the classification of ICT-related incidents and cyber threats
  • ID: 2025_7613
  • Topic: ICT-related incidents (management / classification / reporting)
  • Date of submission:
  • Published as final Q&A: 06/02/2026

Finrep Validation Rules v4975_m and v6058_m6

The validation rules v4975_m and v6058_m appear to systematically fail when institutions hold loans measured at fair value through other comprehensive income (FVOCI). These rules seem not to reflect that fair value remeasurement adjustments on FVOCI loans are recognised directly in the balance sheet through equity. Could the EBA confirm whether these validation rules should exclude FVOCI instruments from their scope, or whether they will be revised to properly reflect valuation adjustments recognised in the balance sheet under IFRS 9?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/3117 - ITS on supervisory reporting of institutions
  • ID: 2025_7611
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as Rejected Q&A: 11/12/2025

Reporting of debt securities issued but not yet paid up

What is the expected representation for a debt security issued but not yet paid up in the templates REPRICING CASH FLOWS (J05, J06 and J07)? Is the expected monetary inflow supposed to be reported and if so in which row?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2021/451 – ITS on supervisory reporting of institutions (repealed)
  • ID: 2025_7610
  • Topic: Interest Rate Risk for Banking Book (IRRBB)
  • Date of submission:
  • Published as final Q&A: 24/04/2026

Obstacle assessment of an ASPSP offering only web redirection to TPPs while a superior native app authentication method exists for its direct users

Does an Account Servicing Payment Service Provider's (ASPSP) decision to offer only a web-based redirection for Third Party Provider (TPP) initiated journeys constitute an obstacle under Article 32(3) of the RTS, if that ASPSP also makes available a more convenient, direct authentication procedure in its native mobile application for its Payment Service Users (PSUs) when they access their accounts directly?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7608
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Obstacle assessment of requiring an additional SCA for PIS within an existing authenticated AIS session

If a Payment Service User (PSU) initiates a payment (PIS) immediately after establishing a session for an Account Information Service (AIS) (for which SCA has already been performed), does the ASPSP's requirement for an additional, separate SCA—such as the need to fully log in to the mobile banking app before the payment confirmation screen is displayed—solely to access the payment function (and preceding the dynamic linking SCA) constitute an obstacle under Article 32(3) of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7605
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Obstacle assessment of requiring multiple manual checkboxes for a single AIS consent

Does the practice of an ASPSP requiring a PSU to manually tick multiple, separate checkboxes for different categories of account data in order to grant a single consent for an Account Information Service (AIS) constitute an obstacle under Article 32(3) of the RTS, by adding unnecessary steps and friction to the user journey?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7604
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Execution of an authorized payment instruction made conditional on manual user redirection

If an Account Servicing Payment Service Provider (ASPSP) makes the execution of a payment instruction, already successfully authorized via Strong Customer Authentication (SCA) in its app, conditional on the Payment Service User (PSU) subsequently manually returning from the ASPSP's authentication app back to the Third Party Provider's (TPP) environment, does this condition constitute an obstacle under Article 32(3) of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7603
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Clarification request - CP Pillar 3 ESG - Template 2 covered bonds

We are reaching out regarding the Consultation Paper published by EBA on 22/05 concerning Pillar III ESG disclosures. Specifically, we would kindly request clarification about the additional line required in Template 2 related to covered bonds: "In addition, a breakdown for information on cover pool of covered bonds is requested in rows for the Total EU area and Total non-EU area (rows 1.1 and 6.1 respectively)."   As stated in the CP document: “Following Recital 55 of the CRR3, the EBA is asked to assess means to enhance the disclosures on ESG risks of cover pools of covered bonds and to consider whether information on the relevant exposures of the pools of loans underlying covered bonds issued by institutions, either directly or through the transfer of loans to a special purpose vehicle (SPV), should either be included in the revised ITS or in the regulatory and disclosure framework for covered bonds”   We would appreciate your guidance on the following points: • Should only the covered bonds issued by the institution reporting the template be considered? Or does this also include covered bonds acquired from other institutions (other banks - in addition to the already mentioned SPVs)? • Considering the scope of the template, the exposures to be reported refer to the loans collateralized by the immovable properties securing the bonds, and not the value of the bonds themselves, is that correct? • Should the total amount be reconciled with a specific cell in the FINREP reporting framework?   Thank you in advance for your kind clarification.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7600
  • Topic: Transparency and Pillar 3
  • Date of submission:
  • Published as Rejected Q&A: 12/01/2026

Article 12 of Regulation (EU) 2024/857 - non-performing exposures (NPEs) exceeds the 2% threshold.

Could the EBA clarify, in relation to the applicable reporting reference dates, from which point in time institutions are expected to implement and apply the corresponding model adjustment in their IRRBB reporting once this 2% threshold has been breached? Specifically, should the model change be reflected from the reporting period during which the threshold was exceeded, or from the beginning of the next full reporting period following the breach?

  • Legal act: Directive 2013/36/EU (CRD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/857 - RTS on the IRRBB standardised approach
  • ID: 2025_7598
  • Topic: Supervisory reporting - IRRBB
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2026

COREP CVA Risk reporting – exempted CCP-related transactions

In case of an institution that is also a clearing member to a QCCPs, for its CCP-related transactions that are exempted from CVA own funds requirements under CRR article 382(3), should these be reintegrated/reported in COREP template C25.01 row 0050?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/3117 - ITS on supervisory reporting of institutions
  • ID: 2025_7597
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as Rejected Q&A: 12/11/2025

COREP Template 236. Specialised Lending Supervisory Slotting Method

How should institutions reflect, in COREP template C 08.01, credit risk mitigation (CRM) techniques applied to exposures subject to the slotting approach?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/3117 - ITS on supervisory reporting of institutions
  • ID: 2025_7596
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:
  • Published as Rejected Q&A: 27/10/2025

ASF factors for Additional Tier 1 items as wells as Tier 2 items and other capital instruments maturing between 6 month and 1 year

For the purpose of calculating the NSFR, which appropriate available stable funding factor shall institutions apply for Additional Tier 1 items as well as Tier 2 items and other capital instruments maturing between 6 month and 1 year?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2021/451 – ITS on supervisory reporting of institutions (repealed)
  • ID: 2021_6017
  • Topic: Supervisory reporting - Liquidity (LCR, NSFR, AMM)
  • Date of submission:
  • Published as final Q&A: 07/10/2025

Customers short sales internally matched with other clients’ long positions, as part of primary brokerage services

What is the expected treatment in the Liquidity Coverage Ratio of an internalized transaction, maturing within 30 calendar days, where the institution grants a margin loan to a client against a collateral that does not qualify as liquid assets and where this collateral is lent to another client to cover short sales?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Delegated Regulation (EU) 2015/61 - DR with regard to liquidity coverage requirement
  • ID: 2025_7595
  • Topic: Liquidity risk
  • Date of submission:
  • Published as Rejected Q&A: 10/11/2025

Application of the ‘sole purpose test’ with respect to the criterion predominant source of revenues.

Art. 2 (7) (a) of Commission Delegated Regulation 2023/2175 stipulates the following Revenue Test: “the entity has a strategy and the capacity to meet payment obligations consistent with a broader business model that involves material support from capital, assets, fees or other sources of income, by virtue of which the entity does not rely on the exposures to be securitised, on any interests retained or proposed to be retained in accordance with Article 6 of Regulation (EU) 2017/2402, or on any corresponding income from such exposures and interests, as its sole or predominant source of revenue”. The ESA report (JC 2025 14) from March 2025 in particular in the context of Collateralised Loan Obligation (CLO) securitisations as they relate to third party origination CLO vehicles, reiterates this guidance and clarifies that the word “predominant” translates into a 50% threshold: “[…] According to the RTS, this means that the entity’s revenues should correspond to no more than 50% on the exposures to be securitised, risk retained assets or proposed to be retained in accordance with Article 6 of the SECR, or any corresponding income from such exposures and risk retained assets. […]”.  It is also acknowledged that the JC of the ESAs seek to invite the European Commission to confirm this interpretation and if needed to consider some legislative adjustments to clarify the term “sole purpose” in the Level 1 text. The Submitter would like to confirm that in situations where such aforementioned originator invests in securitization tranches in excess of the minimum risk retention in accordance with Art. 6 of the Securitisation Regulation, the Revenue Test is met if: X / Y ≤ 0.5  where X means the sum of gross revenues based on exposures to be securitized and gross revenues of tranches mandatorily held to fulfil the minimum risk retention, and  Y means all gross revenues. The gross revenues of tranches voluntarily held in excess of the minimum risk retention should therefore only be included in Y.

  • Legal act: Regulation (EU) No 2017/2402 (SecReg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2023/2175 - RTS on the risk retention requirements for originators, sponsors, original lenders, and servicers
  • ID: 2025_7594
  • Topic: Provisions applicable to all securitisations
  • Date of submission:
  • Published as Rejected Q&A: 31/03/2026

FINREP – Loan commitments, financial guarantees and other commitments given

In the context of FINREP template F 09.01, could the EBA clarify whether the scope of columns 0100 and 0110 is intended to include exposures (commitments and certain contractual arrangements that are not commitments as referred to in CRR Article 5/110a/111(4)) that fall under CRR3 Annex I but are not recognised or disclosed under IFRS 9, IFRS 7 or IAS 37?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Draft ITS on Supervisory Reporting of Institutions
  • ID: 2025_7592
  • Topic: Supervisory reporting - FINREP (incl. FB&NPE)
  • Date of submission:
  • Published as Rejected Q&A: 27/10/2025

Investment of funds received in exchange of e-money tokens

Do banks (credit institution) need to maintain segregated account to safeguard the proceeds from e-money token issuance?

  • Legal act: Regulation (EU) No 2023/1114 (MiCAR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7591
  • Topic: Other MiCAR topics
  • Date of submission:
  • Published as Rejected Q&A: 11/11/2025

Annual reporting for GSIIDISPILLAR3 to the Competent Authorities under DPM 4.2

Should the Reporting Framework 4.2 related taxonomy be considered for the 2025 end-of-year reporting for GSIIDISPILLAR3 ? Pursuant to the last corrections included in DPM 4.2 for the GSIIDISPILLAR3 templates, respectively the removal of the GSIB column in the Annotated Table Layout for GSIIDISPILLAR3 4.2 (all the greyed-out cells under the column 0009 indicating non-applicability and for which the datapoints were doubled in DPM 4.1), we kindly request the confirmation that the DPM 4.2 can be used for the 2025 end-of-year reporting.

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 1030/2014 - ITS on disclosure of values used to identify global systemically important institutions (as amended)
  • ID: 2025_7590
  • Topic: Transparency and Pillar 3
  • Date of submission:
  • Published as Rejected Q&A: 12/01/2026

Form ‘F 32.01’ on asset encumbrance: Market value including or excluding accrued interest?

Ist im Bogen „F 32.01“ zur Asset Encumbrance der Marktwert inklusive oder exklusive Stückzinsen auszuweisen? In form ‘F 32.01’ on asset encumbrance, should the market value be reported including or excluding accrued interest?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/3117 - ITS on supervisory reporting of institutions
  • ID: 2025_7589
  • Topic: Supervisory reporting - Asset Encumbrance
  • Date of submission:
  • Published as Rejected Q&A: 13/05/2026

Access to national credit databases for all EU creditors for both cross-border and domestic mortgage loan transactions

Considering that Article 19 of Directive (EU) 2023/2225, repealing Directive 2008/48/EC (the ‘Consumer Credit Directive 2’), grants creditors from a Member State other than the one where a credit database is located access to that database only in relation to cross-border credit transactions, does the reference to the framework of Directive 2008/48/EC in Recital 20 of Directive 2014/17/EU (the ‘Mortgage Credit Directive’) imply that Article 21 MCD likewise provides creditors with access to databases solely for cross-border credit transactions?

  • Legal act: Directive 2014/17/EU (MCD)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7588
  • Topic: Creditworthiness assessments
  • Date of submission: