Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Exemption of secure corporate payment processes and protocols

Is the exemption of applying strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers applicable to both payment initiation and account information services? Or, is it solely applicable to payment initiation service?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4383
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/02/2021

Certfication in relation to a Technical Service Provider (TSP)

When performing the role of a Technical Service Provider (TSP) is the TSP required to update the certificate received from the Third Party Payment Service Providers (TPP) (to demonstrate our involvement) to enable the Account Servicing Payment Service Provider (ASPSP) to authorise the certificate and provide the appropriate requested data back through to the TPP and establish the session? Is this same certificate required for every type of transaction request and must it be real time checked by the ASPSP and how does this impact our role as a TSP?Also, by introducing a TSP between a TPP and an ASPSP is the concept of private keys and the transport layer broken, due to the introduction of a TSP between the TPP and the ASPSP? Finally, are there limits to the number of roles involved in the chain in terms of the certification or do we just need to be able to demonstrate the link back to the point of origin for the certificate (the TPP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4375
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/05/2019

Categories of Registration

Is it a requirement that all EU countries include the categories the institution is approved for within their respective registers i.e. in their publicly available data? Also are these categories available in a consistent and standard format across the EU such that anyone inquiring about a firm in more than one country has an easily recognisable and usable response

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/09 - Guidelines on authorisation and registration under PSD2
  • ID: 2018_4371
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4366
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Application of the exemption related to a trusted beneficiary

Has the exemption related to a trusted beneficiary to be applied on an account basis or rather to a list of accounts included in an online banking agreement ? Whose list has to be considered in case of a power of attorney where the initiator is not the account owner ? What happens in case of a shared account where each one holds his own trusted beneficiary lists ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4360
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/03/2019

Does SCA apply to electronically processed SEPA Direct Debits ?

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4359
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/02/2019

Chip and Signature cards and their inclusion in the remit of RTS Article 11

Is cardholder signature a strong method of authentication when transacting with card present?If so, is there a requirement to ensure that on Chip and Signature cards we step up to signature from contactless after 5 contactless /cumulative value of 150 euros?If a signature is not considered to be strong customer authentication (SCA), are chip and signature cards exempt from SCA requirements under Article 11 of the RTS on strong customer authentication and secure communication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4342
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/04/2021

90 Day Access via Direct Access

Should any solution which involves direct access, whether as a strategic solution to PSD2, or in relation to the obligation to provide a fallback interface, ensure that Account Information Service Providers (AISPs) can access the interface in the same manner as the dedicated interface, specifically on an ongoing basis and for a maximum of 90 days once the customer has provided consent and authenticated using strong customer authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4339
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Trusted Beneficiaries

Article 13 of the RTS on strong customer authentication (SCA) and secure communication does not seem to restrict the use of trusted beneficiaries beside the fact that the payee must be in the list of trusted beneficiaries when initiating the payment transaction. Is it correct to conclude from this that the usage of trusted beneficiaries is not further restricted and can, therefore, also be implemented as a generic beneficiary approval step prior to every initiation of a payment transaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4338
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/04/2021

Strong Authentication

Is one time passcode (OTP) Mail considered as a "Strong Customer Authentication" under Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4315
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Consent for the provision of PIS and AIS

Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4309
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Calculation of own funds required for payment institution in the Article 9 of Directive EU 2015/36 (PSD2) when "input funds" are credit transfers and "output funds" are direct debit

How to compute the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) when "input funds" on the payment account are credit transfers and "output funds" are direct debit?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4299
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Calculation of own funds required for payment institution in Article 9 of Directive EU 2015/36 (PSD2) when the payment institution offers acquiring services

How to compute the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) when the payment institution offers acquiring services?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4298
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Payment accounts and reference accounts

Are payment accounts, which are coupled with a reference account, in scope of PSD2 especially Regulation (EU) 2018/389 – RTS on strong customer authentication (SCA) and secure communication (CSC)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4272
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Applicability of exemption under RTS Article 16 for payee’s PSPs (acquirers)

Can an exemption under Article 16 of the RTS on strong customer authentication and secure communication be applied by the payee’s payment service provider (PSP) (the acquirer) for card-based payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4242
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

Applicability of exemption under RTS Article 11 for payee’s PSPs (acquirers)

Can an exemption under Article 11 of the RTS on strong customer authentication and secure communication be applied by the payee's payment service provider (PSP) (the acquirer) for card-based payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4241
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments

Is Article 17 of Regulation (EU) 2018/389 applicable for the payer’s Payment service provider (PSP) for card-based payments?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4239
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/12/2018

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4238
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Signature on a paper slip from a payment terminal, as a factor in a two-factor SCA

Could Signature on a paper slip from a payment terminal, be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4237
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/05/2020

Ability of static card data to be considered a possession factor?

Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4235
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021