Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Clarification on whether a particular business model type constitutes the provision of an account information service as defined by Article 4 (16) of PSD2

Does a business model where the provider offers a service sending the account information to third parties (different from the payment service user)  (detail provided in the background) constitute the provision of an account information service, particularly as it is not proposed that the account information obtained will be given directly to the Payment Service User?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4098
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 13/09/2019

API functionality

Does Article 64(2) of PSD2 limit the ability of Payment Initiation Service Providers (PISPs) to initiate a single payment transaction for immediate execution only?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4096
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/01/2022

Irrevocability of a payment order initiated by a PISP

The EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04) contains a Table entitled “Main requirements for dedicated interfaces and API initiatives” and Row 9 refers to the possibility of “cancelling an initiated transaction in accordance with PSD2, including recurring transactions”. Please clarify that these requirements will not apply to single payment transactions initiated by Payment Initiation Service Providers (PISPs) for immediate execution?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4095
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/01/2022

Does transaction monitoring need to be real time?

Article 2(1) of the RTS stipulates that "payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions…" and Article 2(2) explains the minimum requirements.However, Article 2 does not specify timing aspects of the transaction monitoring.Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4090
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Obligatory nature of the SCA and exemption based on transaction risk analysis

Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4089
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/10/2018

On the application of SCA when cancelling a payment transaction

Should Account Servicing Payment Service Providers (ASPSPs) apply strong customer authentication (SCA) when cancelling recurring transactions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4083
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 12/03/2021

On the access to names and surnames through the API

Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4081
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 25/01/2019

On the use and storage of Personalised Security Credentials (PSC)

Do third party providers (TPPs) have the right to ask for payment service users (PSUs)' Personalised Security Credentials (PSC)?Do TPPs have the right to store PSUs' PSC ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4077
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

On the access to trusted beneficiaries lists (RTS Art 13) by TPPs in write mode

Do the TPPs have the right to access trusted beneficiaries lists in write mode?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4076
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Communication plans to inform payment service providers making use of the dedicated interface

Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4071
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4068
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/12/2018

Accessing payment account online in web browser shall exceed not 5 minutes without acitvity

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4065
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Exemption for secure corporate payment processes and protocols

May lodged and virtual cards benefit from the exemption for secure corporate payment processes and protocols under Article 17 RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4060
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Transactions initiated via Interactive Voice Response (IVR) solutions

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4058
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

SCA at vending machines without PIN pad

Do transactions at vending machines without PIN pad require Strong Customer Authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4057
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/08/2019

Application of the exemption for transactions to trusted beneficiaries to Face-to-Face transactions

May the exemption for transactions to trusted beneficiaries (‘white-listing’) set out in Article 13 of Regulation (EU) 2018/389 (RTS on strong customer authentication and secure communication) apply to face-to-face transactions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4056
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/09/2018

Confidentiality of offline PIN

Should the PIN transmitted offline from a terminal to an Europay, MasterCard and Visa (EMV) card always be enciphered? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4055
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/07/2019

Confidentiality of the application cryptogram for EMV transactions

Are EMV (Europay, MasterCard, Visa)  transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4054
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 20/12/2019

Length of authentication codes

Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4053
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

EMV cards and EMV terminals supporting online authentication

Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4052
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018