EBA E-mail alert October 3, 2025

Are points 5.4, 5.7, 5.10 and 7.4 of EBA/GL/2017/08 guideline applicable only while applying for authorisation or in ongoing supervision as well? Is 50 000 per indicator minimal amount after authorisation procedure/first year as well?

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain. 

Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if 

• it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while
• a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems.

As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode.

We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)