2018_4155 Responsibility of national authority with regards to audit reports

Question ID: 2018_4155
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 3
Subparagraph: NA
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: Article 3 / Paragraph 3
Type of submitter: Accounting firm
Subject matter: Responsibility of national authority with regards to audit reports
Question: Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?
And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?
Background on the question: In Article 3 paragraph 3 it is mentioned that "The entire report shall be made available to competent authorities upon their request". This does not directly state that each report will be monitored by the competent authorities. It is not clear what the rationale behind this is (why would some reports not be requested and monitored by the competent authorities?).
Submission date: 23/07/2018
Final publishing date: 26/10/2018
Final answer: As stated in Article 3 of the Commission Delegated Regulation (EU) 2018/389, the audit “report shall be made available to competent authorities upon their request”. Competent authorities will therefore establish whether or not they wish to request such a report. In addition, whether or not the competent authority is involved, and similar to any type of audit report, every payment service provider is expected to act on significant findings and weaknesses identified to ensure those are adequately addressed. The payment service provider may also wish to proactively inform the competent authority.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer