Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Application of the Low Value Transaction Limits

Should the limits according the Article 16 RTS be applied to the account itself (account holder and authorized persons together) or should they be applied to the account holder (owner) and each authorized person (i.e. proxy of account holder) separately? 

Subsequently should the limits be applied to all remote payment transactions together or should e.g. card transactions and credit transfers be counted separately. Also should the limit be applied to all cards belonging to one person together or should the limit be applied to each card separately?

Background on the question:

Most of our clients have "family accounts" which are used by more than one person - the owner (or owners) and authorized persons (proxies) which can use account within certain boundaries set by the account owner. These authorized persons can even have multiple payment cards assigned to their name.

We are unsure if the limits according the RTS should be applied to every single one owner/authorized person or if the limits should be combined for all of them together because the authorized person is still a person which is only allowed by the account owner to use his account in his name (i.e. in the name of the account owner).

Subsequently should the limits of multiple payment cards of one person under one account be counted together or not? Because all transactions done by these cards are basically remote electronic payment transactions and according the wording of the article they should be counted together. Same applies to the "other types" of remote electronic payment transaction - should they be counted together with card payments and have a single one counter?

Date of submission:
Published as Final Q&A:
Final Answer:

Article 16 of the Commission Delegated Regulation (EU) 2018/389 specifies that payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the conditions under items a-c of the same Article are met. Under Article 4(8) of PSD2, ‘payer’ is defined as ‘a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order’. Therefore, the limits specified under Article 16 of the Delegated Regulation shall be applied to the account holder. In the case where there is an authorised person acting on behalf of the account holder, the limits shall not be calculated separately.

The limits specified under Article 16 of the Delegated Regulation, where the payer initiates a remote electronic payment transaction, shall be calculated at the level of each payment instrument separately.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.