Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

SCA exception for Contactless only terminals (SoftPOS) in case of emergency

We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems. As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode. We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7482
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Payment account definition

Does an account provided by a payment service provider, linked to a payment instrument that can be used to make payment transactions to [certain] third parties (e.g. merchants) from that account, as well as to withdraw cash from that account (e.g. from an ATM) and receive incoming payments in the respective account from the same payment users to which the funds were transferred (i.e, refunds from merchants) fall under the definition of a payment account in accordance with PSD2, even if the respective account cannot receive funds from third parties via credit transfers?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7463
  • Topic: Other topics
  • Date of submission:

Calculation of the standardised total risk exposure amount or S-TREA under Article 92(25)

Does the calculation of standardised total risk exposure amount, or S-TREA, require Firms to recalculate RWAs for standardised approaches where modelled inputs have been used? Specifically, do CVA RWAs calculated using IMM modelled EADs need to be re-calculated using EADs that have not been derived using a modelled approach?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7429
  • Topic: Own funds
  • Date of submission:

Setting limit (daily and/or per transaction) for the execution of payment transaction by PSP

Is PSP allowed, according to the Article 68(1) of PSD2, to set a general limit (daily and/or per transaction) for the execution of payment transaction to the payee with the PSP in another EU Member state, under the certain payment initiation channel (for example mobile banking), in order to mitigate the risk of fraud (to prevent fraud)? Is PSP allowed to set different general limits for national payments and for payments to PSPs in another EU Member state (due to various fraud risk associated to these transactions)? Is PSP obliged to change a limit above the limit that the PSP set - on PSU's request for regular credit transfer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7425
  • Topic: Other topics
  • Date of submission:

Application of general requirements of Chapter 6 of the Regulation (EU) No 575/2013 regarding the definition of own funds

Does the definition of „own funds“ in Article 4(46) of PSD2 refer to the definition of „own funds“ as defined in point 118 of Article 4(1) of Regulation (EU) No 575/2013 only, or are Articles 26 - 88 of Regulation (EU) No 575/2013, in particular Articles 26 (3), 77 and 78 of Regulation (EU) No 575/2013, also refered to by Article 4(46) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7396
  • Topic: Other topics
  • Date of submission:

AIRB combined with Financial Collateral Comprehensive Method

Article 223 para 4 subpara (b) indicates that banks using the A-IRB approach can also utilize the Financial Collateral Comprehensive Method (FCCM). Does the EBA agree with this?  

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7382
  • Topic: Credit risk
  • Date of submission:

the use of strong and widely recognized encryption techniques

All strong and widely recognized encryption techniques (e.g. RSA and ECC) currently available on the market must be provided by the account servicing payment service providers or only that encryption technique which is indicated in the documentation of the technical specification of the API in accordance with Article 30(3) of the RTS on SCA & CSC shall be provided?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7376
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Whether to Include in the Scope of C 10.00 Portion of IRB Exposures that are guaranteed by Guarantors that are to be treated under SA

Could EBA provide guidance on whether to present in template C 10.00 the portion of an IRB treated exposure that has been secured by an eligible guarantee which becomes an SA treated exposure as a result of a CRM/substitution effects?  

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/3117 - ITS on supervisory reporting of institutions
  • ID: 2025_7373
  • Topic: Supervisory reporting - COREP (incl. IP Losses)
  • Date of submission:

Exposures to institutions waived from individual capital requirements according to article 7 CRR, under Credi Risk Standarised Approach

How should exposures to institutions be treated under Credi Risk Standarised Approach, if such institutions have been waived of individual capital requirements? Shall these exposures be assigned to grade C, or can the level of compliance with capital requirements be assessed by taking consolidated requirements as reference?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7363
  • Topic: Credit risk
  • Date of submission:

Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain.  Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if  it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7358
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Calculation of the SME supporting factor for off-balance-sheet exposures

Is the SME supporting factor applicable, and if so, how shall it be computed, in case there is no on-balance-sheet exposure to be included in E*, as defined in Article 501(1) of CRR?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7350
  • Topic: Credit risk
  • Date of submission:

Minimum monetary amount of professional indemnity insurance in ongoing supervision

Are points 5.4, 5.7, 5.10 and 7.4 of EBA/GL/2017/08 guideline applicable only while applying for authorisation or in ongoing supervision as well? Is 50 000 per indicator minimal amount after authorisation procedure/first year as well?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance
  • ID: 2025_7317
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:

ANNUAL REPORT ON NEW ARRANGEMENTS ON THE USE OF ICT SERVICES

Does Article 28(3) DORA require a separate and specific communication in addition to the Register of Information, or whether the communication of such data is already fulfilled through the annual submission of the same Register, constituting a single compliance obligation? In the event that a separate communication is required in addition to the annual submission of the Register of Information, what is the meaning of the term 'categories of third-party ICT service providers'?

  • Legal act: Regulation (EU) No 2022/2554 (DORA Reg)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2024/2956 - ITS on the register of information
  • ID: 2025_7309
  • Topic: Register of information (DORA)
  • Date of submission:

Requirements for the purpose of treating exposures secured by mortgages on immovable property as duly secured from an RWA computation perspective under CRR Article 124(2) of the CRR.

Can a global insurance against damages on a portfolio of exposures secured by immovable properties subscribed directly by the lending institution be considered as compliant with the requirement of Article 208(5) of the CRR - that is to say considered, under the standardized approach, as meeting the operational requirements for the purpose of treating exposures secured by mortgages on immovable property (or in case an institution has opted for the application of article 108(5)(a) allowing to consider a guaranteed exposure as an exposure secured by a mortgage on immovable property) as duly secured from an RWA computation perspective under Article 124(2) of the CRR?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7293
  • Topic: Credit risk
  • Date of submission:

Knowledge element of SCA.

Can an API key be considered as a Knowledge element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7286
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Proxy matrices

Are credit institutions (ASPSPs) allowed to facilitate proxy matrices implemented by their (corporate) clients that allocate proxy to only certain users to invoke the services of third party payment service providers (TPPs)?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7265
  • Topic: Other topics
  • Date of submission:

Obstacles Faced by PISPs in Accessing Payment Status Information Under PSD2

Are ASPSPs allowed to require PISPs to provide any additional identifier beyond what is specified in Article 35.4.b of the RTS in order to access information about the execution of a payment order?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7261
  • Topic: Other topics
  • Date of submission:

emission allowances

Sentence 2 of paragraph 3 of Annex II CRR refers to point (11) of Section C of Annex I MiFID, i.e. to emission allowances. Does that mean that spot market emission allowances are to be treated as derivative contracts listed in Annex II, even though they are not derivative in character?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7255
  • Topic: Other issues
  • Date of submission:

Use of credit assessments by ECAIs not in scope of Regulation (EC) No 1060/2009.

Can external credit assessments that have been issued by an ECAI, but were not publicly disclosed, be used to determine the risk weight of an exposure under the Standardised Approach?

  • Legal act: Regulation (EU) No 575/2013 (CRR)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7220
  • Topic: Credit risk
  • Date of submission: