Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Minimum monetary amount of professional indemnity insurance in ongoing supervision

Are points 5.4, 5.7, 5.10 and 7.4 of EBA/GL/2017/08 guideline applicable only while applying for authorisation or in ongoing supervision as well? Is 50 000 per indicator minimal amount after authorisation procedure/first year as well?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance
  • ID: 2025_7317
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:

Knowledge element of SCA.

Can an API key be considered as a Knowledge element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7286
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Proxy matrices

Are credit institutions (ASPSPs) allowed to facilitate proxy matrices implemented by their (corporate) clients that allocate proxy to only certain users to invoke the services of third party payment service providers (TPPs)?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7265
  • Topic: Other topics
  • Date of submission:

Obstacles Faced by PISPs in Accessing Payment Status Information Under PSD2

Are ASPSPs allowed to require PISPs to provide any additional identifier beyond what is specified in Article 35.4.b of the RTS in order to access information about the execution of a payment order?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7261
  • Topic: Other topics
  • Date of submission:

non-discrimination in implementing PSD2 for safeguarding mechanisms

The PSD2 includes important provisions regarding safeguarding accounts for payment institutions (PIs) and electronic money institutions (EMIs). These accounts shall be additionally protected by the credit institutions providing them so they should be free from seizure and the funds kept at them shall not be considered the property of a PI or an EMI in case of bankruptcy of the safeguarding account holder. These provisions have been transposed into the law of the Republic of Poland effective in December 2018. However, according to the transposition, these safeguarding accounts provide these protections (freedom from seizure and not being considered the property of the bankrupt holder) only to the Polish PIs and Polish EMIs (so called “home” PIs and EMIs).  The law has been so formulated that the safeguarding accounts opened in Poland for the non-Polish (yet EEA-based), properly notified to Poland PIs or EMIs do not enjoy these protections.  Is this the proper transposition of the PSD2 provisions of safeguarding accounts or is this the example of the incorrect transposition resulting in the market discrimination of the PIs and EMIs which are not based in Poland?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7199
  • Topic: Security measures for operational and security risks
  • Date of submission:
  • Published as Rejected Q&A: 29/04/2025

Payment service user - both payer and payee

Can a payment service user be both payer and payee on a money remittance service?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7184
  • Topic: Other topics
  • Date of submission:

Compliance of non-bank PSPs with the safeguarding requirements in PSD2

Where PIs and EMIs (referred to as non-bank PSPs) have direct access to central bank operated payment systems for settling payment transactions, would keeping a balance on a settlement account with the central bank/payment system, without the central bank maintaining a safeguarding account for the non-bank PSP, be compliant with the safeguarding requirements under Article 10 of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7165
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 08/05/2025

Transactions executed via electronic mail (email)

Do transactions ordered by email and executed by an employee of the payment service provider, e.g., credit transfers orders sent from the e-mail address of the payer to the e-mail address of the payment service provider and executed accordingly qualify as transactions executed through a remote channel, at-distance channel or a payment instrument which may imply a risk of payment fraud or other abuses, pursuant to Article 69, Article 70, Article 72 and Article 97(1)(c) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7150
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Exclusion of cash withdrawal services from PSD2

Is it a prerequisite for an ATM operator,to qualify for the exemption of article 3(o), to co-operate with a Payment Service Provider (authorised within the EEA or with a relative passport where necessasry) offering payment service number 2 of the Annex 1 of the PSD2?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7136
  • Topic: Other topics
  • Date of submission:

Definition of "Communication Standards" under Article 30.3

a) Is ISO 20022 considered the communication standard referenced in Article 30(3) of the Regulatory Technical Standards (RTS), Commission Delegated Regulation (EU) 2018/389? b) How should NCAs ensure that ASPSPs comply with these standards, in accordance with Article 30.6 of the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7118
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 30/07/2024

Providing payment service via Internet banking (web-application)

Is providing payment service via Internet banking (web-application) payment initiation channel considered to be issuing of payment instruments? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/09 - Guidelines on authorisation and registration under PSD2
  • ID: 2024_7115
  • Topic: Authorisation and registration
  • Date of submission:

Revocation of ASPSP's Exemption from the Contingency Mechanism due to Prolonged Service Disruption

In a scenario where an incident lasting more than two consecutive weeks preventing Payment Service Users (PSUs) from initiating their payments through a dedicated interface, considering that the Account Servicing Payment Service Provider (ASPSP) has an exemption from the contingency mechanism under Regulation (EU) 2018/389, and the National Competent Authority (NCA) has been notified about the incident: Should the National Competent Authority (NCA) revoke the ASPSP's exemption from the contingency mechanism?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389
  • ID: 2024_7103
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 27/09/2024

Clarification needed in dedicated Interfaces supervision

We seek clarification and insights into how competent authorities shall fulfill their responsibilities in line with Recital 23 and Article 32.2 of the Commission Delegated Regulation (EU) 2018/389, specifically regarding the supervision of payment initiation service's dedicated interfaces to ensure effective oversight and monitoring.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7093
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 30/07/2024

Provision of external payroll accounting services to an employer

Does the activity of external payroll processing for an employer constitute a payment service under PSD2, if it consists of receiving funds for wages and related deductions (taxes, health and social insurance) in the payroll processor’s payment account from the employer, and transferring these to employees, tax authorities, insurance companies etc.? Would the answer change depending on whether the payroll processor  maintains an account separately for each employer?   

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7065
  • Topic: Authorisation and registration
  • Date of submission:

Credit

Does this credit qualify as consumer credit, exclusively available to individual consumers? Or can it also be extended to legal entities?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7056
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/07/2025

Legal requirement for ASPSPs to provide for cancellation of future dated pay-ments through its dedicated payment initiation services interface

Is there a legal requirement for ASPSPs to allow its PSU to cancel/revoke future dated payments via a payment initiation service provider, using the ASPSPs dedicated payment initiation services interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7017
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Third party access to account attributes

In Norway there is a widely used scheme by which payees send out invoices containing structured payment information which is being used by the payee to match incoming payments with invoices. The information is in the form of a number defined by the payee. The number consists of up to 25 digits, including a control digit. The information flows all the way through the payment chain and back to the payee. The credit account number must be set up with attributes associated with it, according to scheme rules, which are defined jointly by the banks. The payee has to enter into an agreement with its bank in order to make use of the scheme. There is a nationwide registry covering all banks, containing information about agreements, accounts and attributes associated with each account. The banks have direct access to the registry. As and when the PSU (Payment Service User) keys in the invoice information, the bank checks in real time that what is being keyed in is correct according to information held in the registry. There is check that indeed the credit account is set up for the scheme. A control digit is checked, increasing the likelihood of a correct number being entered. If no number is keyed in, the PSU is told so, if the account is such that a number is required. While keypunching, the PSU is being informed there and then if the information is wrong such that the PSU may correct it. The bank will not accept the payment order unless it is pre-verified to pass the controls. Not so for TPPs (Third Party Provider). They are not granted access to the registry. The TPP does not know if the payment order will pass the controls. Not until payment initiation there is a check. This check is being performed by the bank, not by the third party. The TPP receives information from the bank about the outcome of the check. TPPs must revert back to the PSU and / or the payee, or the banks, and try to resolve any issues. There are costs associated with follow up and correction. PSD2 Article 66 number 4 letter (c) obliges ASPSPs to treat payment orders transmitted through the services of a payment initiation service provider without any discrimination other than for objective reasons, in particular in terms of timing, priority or charges vis-à-vis payment orders transmitted directly by the payer. Not having access to the registry puts the TPPs at a disadvantage, with a bearing on timing, as payments may be delayed and may become overdue. The banks' own payment services have direct access to the key payment information held in the registry, whereas third party payment services do not. The FSA of Norway seeks advice on whether this constitutes a discrimination according to PSD2 Article 66. Not having access to the registry puts the TPPs at a disadvantage. It leads to extra work for TPPs and others involved in the payment. Additional costs are being incurred. The FSA of Norway seeks advice on whether not giving TPPs access to the registry creates obstacles for TPPs as per Commission delegated regulation (EU) 2018/389 Article 32 number 3. Lastly, the FSA of Norway seeks advice on whether there are other relevant provisions in the regulation, and whether the principle of "level playing field" may apply in this case.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7003
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 30/07/2024

Criteria for selecting the operations to be included in the calculation of fraud rates for the transaction risk analysis (TRA) exemption

Which of the following would be the correct temporal criterion for selecting the unauthorized transactions to be included in the numerator of the fraud rates calculated for the transactions risk analysis (TRA) exemption? a) the transaction date, i.e., the date on which the transaction was executed regardless of the date on which it is classified as unauthorized or fraudulent b) the registration date, i.e., the date on which the transaction is registered as unauthorized or fraudulent regardless of the date on which it was carried out 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_6989
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/09/2024

Card data (PAN) to be returned in AISP calls

Does the ASPSP have to return the card number (PAN) attached to a fetched payment account in case the user can access this data during a standard session with its ASPSP in the direct internet banking interface? In case of "YES", does the TPP that is fetching this data have to be PCI DSS certified, since this data has to be encrypted based on the PCI DSS requirements? Moreover, could be the "card number (PAN)" considered sensible, since it could be potentially used for fraud?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2023_6946
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/10/2024

Requirement for loan agents to register as payment service providers under EU's Second Payment Services Directive 2015/2366 ("PSD2").

I would like some clarification on Directive 2015/2366/EU (PSD2) Article 4 paragraphh 22 - Money remittance. If a firm performs administrative services (including but not limited to the calculation of interest/fees and principal owing between lenders and a borrower) and as part of this service is required to regularly transfer money between lenders and a borrower (no fee involved), does this qualify as money remittance? No fees are charged for the transfer of money.  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6951
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 13/02/2024