Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Eligibility of communication by AISPs with ASPSP throughout two access interfaces in parallel

Question no 1: Do art. 30(1), art. 31 and art. 33 of the Commision Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (”RTS”) should be interpreted in that manner, that in scenario, where account servicing payment service provider (”ASPSP”) has introduced a so-called dedicated interface within a meaning of art. 31 RTS, which meets requirements provided for in art. 32 and 33 RTS, than ASPSP has a right and it is up to ASPSP’s sole discretion, whether, for purposes of communication with account information service providers (”AISPs”), to: make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs); or make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS)? Question no 2: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has a right and it is up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs), does this mean that AISPs, with observation of further requirements set forth in art. 30, art. 34 and art. 35 RTS, might communicate with this ASPSP, in parallel, throughout both access interfaces? Question no 3: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS), does ASPSP is under obligement to engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs? Question no 4: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures as set forth in art. 33 RTS) but nevertheless ASPSP has not engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs, does this fact in any measure reflects AISPs right to communicate with this ASPSP throughout both access interfaces, or whether AISPs should undertake any additional actions, and if yes, what kind of actions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2023_6752
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/03/2024

requirements for professional experience of representatives and board members of EMIs

Dear Sir/Madam,    In the process of licensing an EMI, the management of the company aplying for a licese is required to have certain professional qualifications: experience, clean record, good reputation,etc... As PSD2 does not regulate this topic, each National Bank has set different requirments. The same pereon may be elidgible under the requirments of central bank of one country while not elidgible for another. Usually, the requirments are for banking and equivalent proffesional background and experience.  Profesionals with technology background (eg. Computer Science, blockchain, software development, AI, information management) are not elidgible. However technology is one of the main drivers of innovation and competitiveness in both banks and fintech.    In this regard, I have two questions:  1. Is EBA discussing any harmonisation of requirments for profesional experience of managing teams of EMIs to be enforced in a new updated PSD2? 2. If yes, does EBA consider allowing technology related profesionals to hold management possitions in EMIs?    Best regards,  Filip Mutafis  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6750
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 10/07/2023

Service Downtime

The question refers to the case that an incident with a duration of two hours that disrupts transaction processing occurs around the daily cut off time of same-day transactions processing. Thus, the incident may be of a short duration, but as a result, transactions are booked one day later. Considering this example, what service downtime should the payment service provider (PSP) indicate in the PSD2 notification? Just the net time of the failure or the total time any payment service users are affected by delayed transactions, i.e. one day?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10
  • ID: 2023_6744
  • Topic: Major incidents reporting
  • Date of submission:
  • Published as final Q&A: 29/09/2023

Period to be covered by statistics pursuant to Article 32(4) of Commission Delegated Regulation (EU) 2018/389

Which period should the statistics to be published by ASPSPs under Article 32(4) of Commission Delegated Regulation (EU) 2018/389 cover in total?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2023_6687
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/09/2023

Consideration of own funds requirements as a comparable guarantee to the PII

Would it be acceptable to consider, has a possible comparable guarantee, an increase of own funds’ requirements, in an amount corresponding to the minimum monetary amount calculated in accordance with the EBA’s tool, while ensuring that this amount would be fulfilled with highly liquid assets?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6675
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Publication of quarterly statistics, according to GL 3 of the “Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)”

In what concerns the performance and availability statistics that ASPSPs need to make available on their websites in accordance to GL 3 of the “Guidelines on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC)”, do ASPSPs need to disclose all their quarterly reports since the entry into production of their APIs? For instance, if the ASPSP made their API available in September 2019, does the ASPSP need to have all the reports online since then? If not, is there any recommended timeframe for the reports to be kept available online?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389
  • ID: 2022_6613
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as Rejected Q&A: 29/03/2023

Information provided to the payee on individual payment transaction

If a framework contract includes a condition on providing all required information to the payee at least once a month, is the payment service provider still obliged to provide the information to the payee after the execution of individual payment transaction? Or providing monthly information is enough and provision of information separately about each individual transaction is not required anymore?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6612
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Payment account

What is the difference between payment account, e-money account and a bank account (account held at the credit institution) in terms of allowed transactions? Is it possible to hold funds on a payment account to make future payment transactions?Is it possible to receive the salary on a payment account, if this account is not an e-money account or an account held by a credit institution, which constitute a deposit or other repayable fund?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6611
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/10/2024

Initial Capital

What is the initial capital requirement if a payment institution is providing: (a) any of the payment services as referred to in points (1) to (5) of Annex I and service (6) and (7). (b) any of the payment services as referred to in points (1) to (5) of Annex I and service (6) . (c) any of the payment services as referred to in points (1) to (5) of Annex I and service (7).

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6570
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 10/07/2023

Evidences / Records to be stored by account servicing payment service providers (ASPSP) for payment initiation service (PIS) and account information service (AIS) requests

Shall ASPSP keep record of PIS requests received through a PISP and evidences on the authenticity and execution of these payment transactions when SCA is managed by ASPSP ?  Shall ASPSP keep record of the consent of the PSU and also of the AIS requests received through an AISP ? For both evidences is there any specific retention period ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6526
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/09/2023

The definition of payment services and in particular the definition of execution of payment transaction in relation to netting centers

1. Is an (international) non-profit association, acting as netting centre in the framework of a multilateral netting agreement entered into between its members, that receives and forward funds to and from its members through a bank account opened in its name deemed to carry out payment services falling within the scope of Article 4(3) of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC ('PSD2') (e.g. the execution of payment transaction or money remittance)?2. If the netting center is deemed to carry out payment services, can the netting centre rely on exclusion of Article 3(n) of PSD2, i.e. 'payment transactions and related services between a parent undertaking and its subsidiary or between subsidiaries of the same parent undertaking, without any intermediary intervention by a payment service provider other than an undertaking belonging to the same group'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6489
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 11/10/2024

Reading of the term "means of payment"

What are the 'means of payment' in the LNE Guidelines (guidelines 1.6 and 1.7)? Does the term refer to the technological level of a physical device or a digital carrier, which may accommodate several payment instruments, such as plastic card (chip or magnetic stripe), a mobile phone, a wallet, an app, a wearable, a tablet, a PC or even a specific storage location on an external server? Please provide examples of 'other means of payment' that are relevant in practice from the EBA's perspective. How is the definition of payment instrument according to Article 4(14) PSD2 to be read in the context of the LNE Guidelines? Is the interpretation of the adjective “card-based” (in combination with means of payment) in line with the same adjective in combination with payment instruments according to Article 2(20) of Regulation (EU) 2015/751 (“IFR”)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2022/02 - Guidelines on the limited network exclusion
  • ID: 2022_6481
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/09/2023

SCA for token replacement

Is SCA required for the replacement of a tokenized card happening in the background without any ‘action by the payer’ under Article 97(1)(c) PSD2 in the following cases: Expiry of the token and update of the token Replacement of the card, and the new card has a different BIN/Account Range (e.g., for product graduation, such as standard to gold, or simple BIN management) and/or different functionalities Technical and/or configuration changes to the issuer’s BIN configuration (such as migrating from 6 to 8 digit BINs) In all these cases, the existing tokenized credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token. credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2022_6464
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 31/01/2023

Annex VI - Agentes/distributors

Please clarify whether under Directive 2015/2366, in the exchange of notifications between NCAs, Annex VI of the Commission Delegated Regulation (EU) 2017/2055 should be sent concerning each new agent/distributor or only for the first agent/distributor acting on behalf of a payment/e-money institution.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2017/2055 - RTS on passporting under PSD2
  • ID: 2022_6437
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 14/10/2022

API functionality

Is it allowed to use a dedicated PSD2 interface by a TPP that identifies itself with an eIDAS certificate for purposes other than those specified in Article 30(1)(b) - (c) of the RTS on strong customer authentication (SCA) and secure communication? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2022_6392
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Paper-based postal money orders as defined by the Universal Postal Union

1. Should postal transfers as defined by the Universal Postal Union, which are not made in paper form but by electronic means, be excluded from the scope of PSD2?     2. If postal transfers, as defined by the Universal Postal Union, in both electronic and paper format, are inseparable from the postal operator’s accounting system, should also paper-based postal transfers not fall outside the scope of PSD2?     3. Should such transfers be excluded from the scope of PSD2 in either case, or agree that the payment institution is not entitled to credit those funds to the payment service customers’ funds accounts where the money of the payment service users is kept separate?     4. Can a payment institution that is also a postal service provider simultaneously provide both PSD2 regulated services and services related to payments but outside the scope of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6391
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/07/2025

Exclusion of cash withdrawal services from PSD2

If a provider offers cash ATM withdrawal services, not acting on behalf of one or more card issuers but rather through an agreement with the main payment circuits, shall this type of provision be considered exempt from the PSD2?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6360
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/10/2024

Authentication procedures that ASPSPs’ interfaces are required to support (using re-direction)

In a pure redirection-based approach, can an ASPSP, which is not offering a mobile web browser to its PSU’s, decide not to support  an authentication via a mobile web browser authentication page (no app-to-mobile web browser or mobile web browser-to-mobile web browser  redirection) for PISPs/AISPs on the basis of duly justified security risks, without being considered a breach of Article 97 (5) PSD2 and Article 30(2) of the RTS on SCA and CSC and/or an obstacle under Article 32(3) of the RTS on SCA and CSC?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6321
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023