Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Clarification on the use of PSU-linked tokens in payment initiation services under the RTS

In the context of payment initiation services, we would appreciate clarification from the EBA as to whether an ASPSP may require a PISP to use a specific token replacing the PSU’s online banking credentials, and whether such token must be reused by the PISP across the different stages of the payment order, in particular at the payment initiation stage and for subsequent query following the execution of the payment order. Furthermore, we would welcome clarification on the conditions under which this practice would be compatible with the provisions of Commission Delegated Regulation (EU) 2018/389.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7678
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 19/05/2026

Introduction of additional mandatory steps or redirections in PISP payment initiation flows

In accordance with Article 32(3) of the RTS on SCA and CSC, may an ASPSP impose mandatory additional steps or redirections (pre-step) in a redirection-based payment initiation flow through a PISP, where such steps or redirections do not form part of the payment initiation process experienced by the PSU when using the ASPSP’s own mobile or online channels?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7677
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Requirement for ASPSPs to comply with standardized communication protocols under Article 30(3) of Commission Delegated Regulation (EU) 2018/389

Under Article 30(3) of Commission Delegated Regulation (EU) 2018/389, ASPSPs are required to follow communication standards issued by international or European standardisation organisations.In this context, we seek clarification on whether, when an ASPSP has chosen to adopt a recognized communication standard issued by a European or international standardisation body (such as ISO 20022) for its PSD2 interfaces, the standard is expected to be applied consistently and in accordance with its specifications across all such interfaces, regardless of internal documentation or subsequent clarifications issued by the ASPSP, which may reflect internal implementation approaches rather than the standard itself.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7674
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Supervisory obligations of NCAs under Article 32(2) of Commission Delegated Regulation (EU) 2018/389

Article 32(2) of Commission Delegated Regulation (EU) 2018/389 states that competent authorities shall monitor the interfaces, the indicators and subject them to stress testing. We are seeking clarification on the interpretation of this provision. In particular, we would appreciate guidance on the EBA’s expectations regarding the scope and nature of NCAs’ monitoring of these interfaces, including the assessment of their operational performance and reliability, as well as the conduct of stress tests, to ensure that the requirements of Article 32(1),that dedicated interfaces shall maintain the same level of availability and performance as the ASPSP’s own online channels, are effectively met.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7673
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Obstacle assessment of an ASPSP offering only web redirection to TPPs while a superior native app authentication method exists for its direct users

Does an Account Servicing Payment Service Provider's (ASPSP) decision to offer only a web-based redirection for Third Party Provider (TPP) initiated journeys constitute an obstacle under Article 32(3) of the RTS, if that ASPSP also makes available a more convenient, direct authentication procedure in its native mobile application for its Payment Service Users (PSUs) when they access their accounts directly?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7608
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Obstacle assessment of requiring an additional SCA for PIS within an existing authenticated AIS session

If a Payment Service User (PSU) initiates a payment (PIS) immediately after establishing a session for an Account Information Service (AIS) (for which SCA has already been performed), does the ASPSP's requirement for an additional, separate SCA—such as the need to fully log in to the mobile banking app before the payment confirmation screen is displayed—solely to access the payment function (and preceding the dynamic linking SCA) constitute an obstacle under Article 32(3) of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7605
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Obstacle assessment of requiring multiple manual checkboxes for a single AIS consent

Does the practice of an ASPSP requiring a PSU to manually tick multiple, separate checkboxes for different categories of account data in order to grant a single consent for an Account Information Service (AIS) constitute an obstacle under Article 32(3) of the RTS, by adding unnecessary steps and friction to the user journey?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7604
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

Execution of an authorized payment instruction made conditional on manual user redirection

If an Account Servicing Payment Service Provider (ASPSP) makes the execution of a payment instruction, already successfully authorized via Strong Customer Authentication (SCA) in its app, conditional on the Payment Service User (PSU) subsequently manually returning from the ASPSP's authentication app back to the Third Party Provider's (TPP) environment, does this condition constitute an obstacle under Article 32(3) of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7603
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/05/2026

SCA exception for Contactless only terminals (SoftPOS) in case of emergency

We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems. As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode. We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7482
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Payment account definition

Does an account provided by a payment service provider, linked to a payment instrument that can be used to make payment transactions to [certain] third parties (e.g. merchants) from that account, as well as to withdraw cash from that account (e.g. from an ATM) and receive incoming payments in the respective account from the same payment users to which the funds were transferred (i.e, refunds from merchants) fall under the definition of a payment account in accordance with PSD2, even if the respective account cannot receive funds from third parties via credit transfers?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7463
  • Topic: Other topics
  • Date of submission:

Setting limit (daily and/or per transaction) for the execution of payment transaction by PSP

Is PSP allowed, according to the Article 68(1) of PSD2, to set a general limit (daily and/or per transaction) for the execution of payment transaction to the payee with the PSP in another EU Member state, under the certain payment initiation channel (for example mobile banking), in order to mitigate the risk of fraud (to prevent fraud)? Is PSP allowed to set different general limits for national payments and for payments to PSPs in another EU Member state (due to various fraud risk associated to these transactions)? Is PSP obliged to change a limit above the limit that the PSP set - on PSU's request for regular credit transfer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7425
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 12/12/2025

Application of general requirements of Chapter 6 of the Regulation (EU) No 575/2013 regarding the definition of own funds

Does the definition of „own funds“ in Article 4(46) of PSD2 refer to the definition of „own funds“ as defined in point 118 of Article 4(1) of Regulation (EU) No 575/2013 only, or are Articles 26 - 88 of Regulation (EU) No 575/2013, in particular Articles 26 (3), 77 and 78 of Regulation (EU) No 575/2013, also refered to by Article 4(46) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2025_7396
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 12/12/2025

the use of strong and widely recognized encryption techniques

All strong and widely recognized encryption techniques (e.g. RSA and ECC) currently available on the market must be provided by the account servicing payment service providers or only that encryption technique which is indicated in the documentation of the technical specification of the API in accordance with Article 30(3) of the RTS on SCA & CSC shall be provided?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7376
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain.  Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if  it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7358
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Minimum monetary amount of professional indemnity insurance in ongoing supervision

Are points 5.4, 5.7, 5.10 and 7.4 of EBA/GL/2017/08 guideline applicable only while applying for authorisation or in ongoing supervision as well? Is 50 000 per indicator minimal amount after authorisation procedure/first year as well?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance
  • ID: 2025_7317
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Knowledge element of SCA.

Can an API key be considered as a Knowledge element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7286
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Proxy matrices

Are credit institutions (ASPSPs) allowed to facilitate proxy matrices implemented by their (corporate) clients that allocate proxy to only certain users to invoke the services of third party payment service providers (TPPs)?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7265
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Obstacles Faced by PISPs in Accessing Payment Status Information Under PSD2

Are ASPSPs allowed to require PISPs to provide any additional identifier beyond what is specified in Article 35.4.b of the RTS in order to access information about the execution of a payment order?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7261
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Application of Instant Payment Regulation (IPR) to Securities Providers

Do you agree on the non-applicability of the obligation to provide instant credit transfers (within a time horizon of 10 seconds), introduced by IPR, to depositaries, custodians, and entities responsible for payments or local facility for foreign CIUs distributed in a Member State, based on the exclusion provided by article 3, paragraph 1, letter i), of directive 2015/2366 (PSD2)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7249
  • Topic: Authorisation and registration
  • Date of submission:

non-discrimination in implementing PSD2 for safeguarding mechanisms

The PSD2 includes important provisions regarding safeguarding accounts for payment institutions (PIs) and electronic money institutions (EMIs). These accounts shall be additionally protected by the credit institutions providing them so they should be free from seizure and the funds kept at them shall not be considered the property of a PI or an EMI in case of bankruptcy of the safeguarding account holder. These provisions have been transposed into the law of the Republic of Poland effective in December 2018. However, according to the transposition, these safeguarding accounts provide these protections (freedom from seizure and not being considered the property of the bankrupt holder) only to the Polish PIs and Polish EMIs (so called “home” PIs and EMIs).  The law has been so formulated that the safeguarding accounts opened in Poland for the non-Polish (yet EEA-based), properly notified to Poland PIs or EMIs do not enjoy these protections.  Is this the proper transposition of the PSD2 provisions of safeguarding accounts or is this the example of the incorrect transposition resulting in the market discrimination of the PIs and EMIs which are not based in Poland?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7199
  • Topic: Security measures for operational and security risks
  • Date of submission:
  • Published as Rejected Q&A: 29/04/2025