Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

PISP’s access to payable charges applied by the ASPSP on the PSU’s initiated payment via the ASPSP’s dedicated interface

Shall the account servicing payment service provider (ASPSP) make the transaction fees accessible to payment initiation service providers (PISPs) via the dedicated interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6320
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 28/06/2024

Future-dated payments and recurring transactions

When it comes to recurring transactions and future-dated payments, would an implementation of the PSD2-interface that requires that the TPPs store the payment details until due date, and not until due date are they allowed to send the transactions to the ASPSP for execution, satisfy the requirements in Opinion on the implementation of the RTS on SCA and SCA (EBA-Op-2018-04) of June 13, 2018' paragraph 29, in cases where the ASPSP itself offers future-dated payments and recurring transactions in their mobile/web-bank application? If the answer to the preceding question is yes, what then is the meaning of the statement '… a PISP has the right to initiate the same transactions that the ASPSP offers to its own PSUs, such as … recurring transactions, … and future-dated payments'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6318
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Transactions initiated via electronic mail (email)

Do transactions initiated via electronic mail (email) qualify as initiations pursuant to Article 97 para. 1 (b) PSD2 and are therefore subject to the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6315
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Articulation and interaction of the second and the third sub-paragraph of Article 74 (1) of the PSD2

In cases where the payer could not possibly detect the loss, theft or misappropriation of his instrument before it was used, is it correct to state that there can be no liability at all, including if the payer has acted with gross negligence?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6305
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Clarification on the protection requirements of a CustomerID when included in a payer-presented QR-code for the initiation of (instant) credit transfers at the Point of Interaction (POI)

  Are the Customer ID’s security measures (e.g., encryption, tokenisation, transport layer security) mentioned under Q&A 5476 to be always applied in any payer-presented QR code, regardless of who generates it (e.g., including a non-PSP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6298
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Provision of the "acquiring of payment transactions" payment service in the EU

Please provide your opinion on whether the payment service – acquiring of payment transactions on an EU webshop – can be provided by a payment service provider from a third country. Please refer to Q&A 4233.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6283
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Application of SCA for confirmation of funds requests made by a PISP

1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation? 2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6280
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Payee-initiated transactions with irregular period or variable amounts for account payments.

Please clarify whether payee-initiated account transactions available in Account Servicing Payment Service Providers (ASPSPs)’ online banking channels are considered discriminatory under PSD2 when not available in the PSD2 Application Programming  Interfaces (APIs). 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6256
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 28/06/2024

Application of strong customer authentication (SCA) where Account Information Service users access the Account Information Service Providers’ (AISPs) own channels and the previously retrieved payment account information compiled and stored therein

Are Account Information Service Providers (AISPs) exempt, in respect of their own channels, from the requirements of Article 97(1) of Directive (EU) 2015/2366 and of Article 10 of Regulation (EU) 2018/389, and therefore allowed: to let users of their Account Information Service, access the AISPs’ own channels and the payment account information compiled and stored therein – previously retrieved by AISPs from the users’ respective Account-Servicing Payment Service Providers (ASPSPs) – without applying any strong customer authentication (SCA) upon that access to AISPs’ own channels, irrespective of whether the conditions of Article 10 of Regulation (EU) 2018/389 are satisfied – such that AISPs may, in their own channels, allow users of their service to consult, without SCA, previously retrieved payment account information of a broader scope (more than the last 90 days’ worth of data, and potentially the users’ complete transactional history) as compared to the data that ASPSPs may, without SCA, display to the same users in the ASPSPs’ own channels (maximum the last 90 days’ worth of data, and provided that SCA was applied no more than 90 days prior) – and such that AISPs, despite being payment services providers (PSPs), need not afford users of their services the same level of protection that ASPSPs are required to, and can expose said users to the risks of abuses referred to in Article 97(1)(c) of Directive 2015/2366?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6248
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:

Change of TPP access rights for AIS consent by the PSU prior to authorisation

A clarification / harmonised guidance on the Scope of the Bank Offered Consent, as defined in the Berlin Group standard, is needed.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6246
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

ASPSP restricting access for TPPs who embeds the redirect

Do Account Servicing Payment Service Providers (ASPSPs) have the right to block access to payment accounts for a Third Party Provider (TPP) who embeds the ASPSP-provided redirection website in order to provide the Payment Service User (PSU) with a TPP-provided user interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6245
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 13/04/2022

Calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2)

Can you please clarify the definition of 'previous year' when computing the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) as to whether it should be the previous 12 months from the date of calculation, therefore a rolling calculation, or whether it refers to the 'previous accounting year'? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6241
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Payment Initiation Service - Batch payment / bulk payment

Can you apply the PSD2 non-discrimination principle to batch/bulk payment?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6236
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 13/04/2022

Application of the exemption under Article 10 RTS and EBICS T

Can an Account Servicing Payment Service Provider (ASPSP) consider that it is not applying the Article 10 Exemption under the Commission Delegated Regulation (EU) 2018/389 “at all” where it permits its Payment Services Users (PSUs) to access balances and transactions information through another direct interface (such as Electronic Banking Internet Communication Standard (EBICS) T) with no systematic or daily strong customer authentication (SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6235
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 13/04/2022

Arbitrating between security and obstacles

Can an Account Servicing Payment Service Provider (ASPSP) know a mobile phone number inside of the Third Party Provider (TPP)’s organisation in order to send a decryption password to the TPP out-of-band via SMS?   

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6156
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

SCA applicability / Application of SCA at tokenisation stage

Does the authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment service user is tokenising a card on an e-wallet solution such as Apple Pay?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6145
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 31/01/2023

Association of personalised security credentials to the payment service user

Should strong customer authentication (SCA) elements always be issued under control of the Account service Payment Services Provider (ASPSP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6141
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Information on the host member State in which Third Party Providers (TPPs) provide services

If a payment institution, in the specific form present in the EBA register under PSD2, presents an EU passport, does this mean that the Third Party Provider (TPP) is authorised to operate for the services indicated in all EU countries?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/411 - RTS on EBA register under PSD2
  • ID: 2021_6078
  • Topic: Central register of the EBA
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Confirmation of Funds (CoF) request by a PISP in case of batch processing system

With respect to confirmation of funds request made by a Payment Initiation Service Provider (PISP), in the event that the Account Servicing Payment Service Providers (ASPSP) makes use of a batch processing system, should the ASPSP take into account batches that are in the queue waiting to be processed at the point when the fund confirmation request is made?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6077
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Re-engineering by TPP of the ASPSP’s redirect API and PSU customer journey

May a Payment Initiation Services Provider (PISP) connect to the dedicated interface of the ASPSP, only to subsequently embed (“screen scrape”) the redirection approach into their own environment, without redirecting the PSU to the ASPSP’s mobile banking app, for authentication?  Are Third-Party Providers (TPPs) allowed to re-engineer the customer journey designed by the ASPSP to the effect that authentication of the PSU will take place in the TPP domain?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6044
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 13/04/2022