Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Unattended terminals and Transaction Risk Analysis (TRA) exemption and related Payment Service Providers (PSP)’s liabilities rules

Provided that both the payer’s Payment Service Provider (PSP) and the payee’s PSP can apply the strong customer authentication (SCA) exemption, without prejudice to the last say of the payer’s PSP, can a payment made at highway toll booths be treated as the one performed at the unattended terminals for transport fares?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4480
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Potential inconsistency on the application of Strong Customer Authentication exemptions to AISPs

Shall Account Servicing Payment Service Providers (ASPSPs) always grant Account Information Service Provider (AISPs) to be exempted from Strong Customer Authentication (SCA) according to rules defined in Article 10 of the RTS on strong customer authentication and secure communication (Delegated Regulation (EU) 2018/389), or is the final decision to apply such exemption always up to the ASPSP?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4450
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Revocation / Invalidation of SCA proof before execution date

In order for a payment instruction to be regarded as 'authorised', is the Account Servicing Payment Service Provider (ASPSP) obliged to verify the strong customer authentication (SCA) proof immediately prior to the execution of each future dated payment instruction? If the ASPSP fails to re-verify the SCA proof, can the ASPSP hold the payer liable in the event of fraud?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4440
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4439
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Dynamic Linking for batch payments

With regards to dynamic linking for a batch of remote electronic payments, should the authentication code be linked to each and every IBAN of all the beneficiaries in a batch file?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4435
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019

Passporting and eIDAS certificates

Do account servicing payment service providers (ASPSPs) have to check that third party providers (TPPs) are authorised to operate in their Member State via freedom to deliver services passporting? If so, how shall this be done?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4432
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Application of the Low Value Transaction Limits

Should the limits according the Article 16 RTS be applied to the account itself (account holder and authorized persons together) or should they be applied to the account holder (owner) and each authorized person (i.e. proxy of account holder) separately? Subsequently should the limits be applied to all remote payment transactions together or should e.g. card transactions and credit transfers be counted separately. Also should the limit be applied to all cards belonging to one person together or should the limit be applied to each card separately?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4429
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Dynamic linking for batch transactions

In relation to payment transactions for a batch of remote electronic payments to one or several payees, please clarify whether the payer needs to be made aware of every payee in the batch?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4415
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019

Usage of SMS for dynamic linking

Please clarify whether payment information and an authentication code sent via SMS to a mobile phone complies with the requirements for Dynamic Linking as defined in Article 5 of the RTS, and in particular paragraph 5.2.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4414
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/02/2021

Qualified certificate under eIDAS for ASPSP

Is it required for an Account Servicing Payment Service Provider (ASPSP) to use qualified certificates under eIDAS to identify itself to a Third Party Provider (TPP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4413
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/06/2019

Subsequent instances of a recurring card payment transaction, other than the first, initial one, are transactions initiated by the payee only. This is also the case for card instalment transactions.

Are the subsequent instance of card payment recurring transactions (other than the first, initial one) and of instalment transactions (again, subsequent to the initial one) transactions initiated by the payee only?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4404
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Secure corporate payment processes and protocols

Are USB drives (containing a certificate) used only by corporate clients compatible with RTS requirements?Can USB drives be considered as payment processes exempted from strong customer authentication ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4400
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/06/2019

Electronic chip transactions authenticated with a hand signature

As a Payment Service Provider (PSP) acquirer, how should we report the German chip + signature transactions in the “EBA fraud report under PSD2” given the fact this kind of transactions are non-Strong Customer Authentication (SCA) and do not fall under any allowed exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2018_4399
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Exemption of secure corporate payment processes and protocols

Is the exemption of applying strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers applicable to both payment initiation and account information services? Or, is it solely applicable to payment initiation service?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4383
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/02/2021

Certfication in relation to a Technical Service Provider (TSP)

When performing the role of a Technical Service Provider (TSP) is the TSP required to update the certificate received from the Third Party Payment Service Providers (TPP) (to demonstrate our involvement) to enable the Account Servicing Payment Service Provider (ASPSP) to authorise the certificate and provide the appropriate requested data back through to the TPP and establish the session? Is this same certificate required for every type of transaction request and must it be real time checked by the ASPSP and how does this impact our role as a TSP?Also, by introducing a TSP between a TPP and an ASPSP is the concept of private keys and the transport layer broken, due to the introduction of a TSP between the TPP and the ASPSP? Finally, are there limits to the number of roles involved in the chain in terms of the certification or do we just need to be able to demonstrate the link back to the point of origin for the certificate (the TPP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4375
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/05/2019

Categories of Registration

Is it a requirement that all EU countries include the categories the institution is approved for within their respective registers i.e. in their publicly available data? Also are these categories available in a consistent and standard format across the EU such that anyone inquiring about a firm in more than one country has an easily recognisable and usable response

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/09 - Guidelines on authorisation and registration under PSD2
  • ID: 2018_4371
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4366
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Application of the exemption related to a trusted beneficiary

Has the exemption related to a trusted beneficiary to be applied on an account basis or rather to a list of accounts included in an online banking agreement ? Whose list has to be considered in case of a power of attorney where the initiator is not the account owner ? What happens in case of a shared account where each one holds his own trusted beneficiary lists ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4360
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/03/2019

Does SCA apply to electronically processed SEPA Direct Debits ?

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4359
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/02/2019

Chip and Signature cards and their inclusion in the remit of RTS Article 11

Is cardholder signature a strong method of authentication when transacting with card present?If so, is there a requirement to ensure that on Chip and Signature cards we step up to signature from contactless after 5 contactless /cumulative value of 150 euros?If a signature is not considered to be strong customer authentication (SCA), are chip and signature cards exempt from SCA requirements under Article 11 of the RTS on strong customer authentication and secure communication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4342
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/04/2021