Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Card data (PAN) to be returned in AISP calls

Does the ASPSP have to return the card number (PAN) attached to a fetched payment account in case the user can access this data during a standard session with its ASPSP in the direct internet banking interface? In case of "YES", does the TPP that is fetching this data have to be PCI DSS certified, since this data has to be encrypted based on the PCI DSS requirements? Moreover, could be the "card number (PAN)" considered sensible, since it could be potentially used for fraud?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Requirement for loan agents to register as payment service providers under EU's Second Payment Services Directive 2015/2366 ("PSD2").

I would like some clarification on Directive 2015/2366/EU (PSD2) Article 4 paragraphh 22 - Money remittance. If a firm performs administrative services (including but not limited to the calculation of interest/fees and principal owing between lenders and a borrower) and as part of this service is required to regularly transfer money between lenders and a borrower (no fee involved), does this qualify as money remittance? No fees are charged for the transfer of money.  

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Secure corporate payment processes and protocols and inactivity time period

May the period time of inactivity required by the (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) Article 4 (3) (d) be changed from 5 minutes to 20 minutes if the exemption based on Article 17 of RTS on SCA & CSC has been granted by the competent authority to the Payment service provider?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Interpretation of payment instrument

What devices or procedures can be considered as payment instrument as per Art. 4(14) of PSD2?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Safeguarding with a credit institition in a third country

May a PI authorised and operating in an EU Member State use a credit institution based in a third country (e.g. UK) for the purpose of safeguarding funds in accordance with Art. 10(1)(a) of PSD2?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

PISP payment order cancellation due to fraud prevention reasons

Due to fraud prevention reasons, could an ASPSP (Account Servicing Payment Service Provider) block a payment order initiated through a PISP (Payment Initiation Service Provider) despite having informed the PISP immediately upon authentication, that the payment was going to be executed (i.e., after having provided the PISP with the code ACSC (AcceptedSettlementCompleted) under the Berlin Group Standard)? In that scenario who should bear the liability if the payment is not executed but, nonetheless, the payee delivered the good or service promptly after being informed by the PISP of the successful initiation of the payment?Would the answer be different if the ASPSP had simply confirmed the sufficiency of funds as stated in the EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04)? 

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Mobile Banking Services and SCA in the same app

We use a mobile app, software installed in a separate sandbox on a multi-purpose device, for the elements of strong customer authentication. Is it correct to assume that Article 9 (in COMMISSION DELEGATED REGULATION (EU) 2018/ 389) does not prevent us from offering mobile banking services through the same app?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

The SCA-Exemption for account access based on art. 10 of Regulation (EU) 2018/389 as amended by Regulation (EU) 2022/2360.

We require a clarification with reference to the art. 10 of Regulation (EU) 2018/389 as amended by Regulation (EU) 2022/2360, regarding the meaning of the sentence: “…provided that access is limited to one of the following items online…”.  Does it mean that the 180days exemption is not allowed in case the PSU requires at the same time and in the same request: i) balance and ii) transactions-list of her/his payment account?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Trusted Beneficiaries

Please clarify whether under Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) is it allowed to use the same SCA element to authorize a payment and at the same time (using the same session ID) approve (technically using by a checkbox) the payee as a trusted beneficiary? If it is allowed, the payment service user (hereinafter: PSU) shall be informed (prior to authorisation) by an approval SCA element (SMS) about the payment execution and about modifying the list of the trusted beneficiaries as well?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemption from strong customer authentication

Do the revisions to Art.10 set out in Commission Delegated Regulation (EU) 2022/2360 of 3 August 2022 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/389 as regards the 90-day exemption for account access mean that a payment service user or account information service provider is now limited to accessing only the account balance OR the transaction details for the last 90 days when availing of the revised exemption?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Multi-licensed entity capital requirement

Should a payment institution that also has a crowdfunding license meet the capital requirements of both authorizations in aggregate?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Fraud reporting

How we should treat the transactions that are initiated by PSP (for example refunds, chargebacks, etc.), but those transactions are related to cardholder's actions.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

Exchange rate mark-ups part of 'all charges payable'/'currency conversion charges'

Is an exchange rate mark-up (the difference between the interbank rate and the exchange rate offered by the PSP to its PSUs) to be considered as part of ‘all charges payable’ as per PSD2 and the ‘currency conversion charges’ as per CBPR2 prior to the initiation of the payment? How should PSPs disclose this in the payment flow?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

App to app redirection with biometrics for PIS

Are ASPSPs required to offer redirected authentication with biometrics to users accessing their payment accounts through an AISP or initiating a payment through a PISP, if they offer redirected authentication with biometrics to users accessing accounts or initiating payments directly via the ASPSP?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Eligibility of communication by AISPs with ASPSP throughout interface used for authentication and communication with the ASPSP's payment services users in case of ASPSP’s exemption from the fall back mechanism

Question no 1:   Does a fact, that based on art. 33(6) RTS, given ASPSP was granted by competent authority with exclusion from the obligation to set up the contingency mechanism described under art. 33(4) RTS, means, that such exemption merely gives this ASPSP a right not to set up the contingency mechanism, and hence, this is up to ASPSP to enjoy and to follow this exclusion, or whether, in opposition, this exemption creates on ASPSP side obligation to bring this exclusion to life.   Question no 2:   Does a fact, that given ASPSP was granted by competent authority with exclusion from the obligation to set up the contingency mechanism described under art. 33(4) RTS, creates on AISP’s end any kind of obligation, for instance lack of right to communicate with ASPSP in question throughout interface made available to the payment service users for the authentication and communication with their ASPSPs.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Eligibility of communication by AISPs with ASPSP throughout two access interfaces in parallel

Question no 1: Do art. 30(1), art. 31 and art. 33 of the Commision Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (”RTS”) should be interpreted in that manner, that in scenario, where account servicing payment service provider (”ASPSP”) has introduced a so-called dedicated interface within a meaning of art. 31 RTS, which meets requirements provided for in art. 32 and 33 RTS, than ASPSP has a right and it is up to ASPSP’s sole discretion, whether, for purposes of communication with account information service providers (”AISPs”), to: make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs); or make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS)? Question no 2: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has a right and it is up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs), does this mean that AISPs, with observation of further requirements set forth in art. 30, art. 34 and art. 35 RTS, might communicate with this ASPSP, in parallel, throughout both access interfaces? Question no 3: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS), does ASPSP is under obligement to engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs? Question no 4: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures as set forth in art. 33 RTS) but nevertheless ASPSP has not engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs, does this fact in any measure reflects AISPs right to communicate with this ASPSP throughout both access interfaces, or whether AISPs should undertake any additional actions, and if yes, what kind of actions?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

requirements for professional experience of representatives and board members of EMIs

Dear Sir/Madam,    In the process of licensing an EMI, the management of the company aplying for a licese is required to have certain professional qualifications: experience, clean record, good reputation,etc... As PSD2 does not regulate this topic, each National Bank has set different requirments. The same pereon may be elidgible under the requirments of central bank of one country while not elidgible for another. Usually, the requirments are for banking and equivalent proffesional background and experience.  Profesionals with technology background (eg. Computer Science, blockchain, software development, AI, information management) are not elidgible. However technology is one of the main drivers of innovation and competitiveness in both banks and fintech.    In this regard, I have two questions:  1. Is EBA discussing any harmonisation of requirments for profesional experience of managing teams of EMIs to be enforced in a new updated PSD2? 2. If yes, does EBA consider allowing technology related profesionals to hold management possitions in EMIs?    Best regards,  Filip Mutafis  

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Service Downtime

The question refers to the case that an incident with a duration of two hours that disrupts transaction processing occurs around the daily cut off time of same-day transactions processing. Thus, the incident may be of a short duration, but as a result, transactions are booked one day later. Considering this example, what service downtime should the payment service provider (PSP) indicate in the PSD2 notification? Just the net time of the failure or the total time any payment service users are affected by delayed transactions, i.e. one day?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10

Is Article 5 of Regulation 2021/1230 applicable on the spot currency trading?

Is article 5 of Regulation 2021/1230 applicable on the spot currency trading?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Period to be covered by statistics pursuant to Article 32(4) of Commission Delegated Regulation (EU) 2018/389

Which period should the statistics to be published by ASPSPs under Article 32(4) of Commission Delegated Regulation (EU) 2018/389 cover in total?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre