Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Scope of “additional registrations” as obstacles in the sense of Article 32(3) Delegated Regulation (EU) 2018/389

Is a process that requires Third Party Providers (TPPs) to upload an electronic IDentification, Authentication and trust Services (eIDAS) certificate for receiving additional client credentials before first access to a payment account provided by an Account Servicing Payment Service Provider (ASPSP) to be considered an “additional registration” and therefore an obstacle?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6029
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Ability of Payee’s PSP to apply exemptions from SCA in credit transfers

Can the Payee’s Payment Services Provider (PSP) apply an exemption from strong customer authentication (SCA) in credit transfers that are initiated through the payee?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_5845
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Strong customer authentication (SCA) Knowledge element: Place of Birth and Date of Birth

Does a payer’s date of birth and place of birth constitute a valid Knowledge Element for strong customer authentication.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_5821
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 30/07/2021

Obstacle to the provision of payment initiation and account information services

Should Article 32.3 of Regulation (EU) 2018/389, read together with paragraphs 33 to 41 of the Opinion of the European Banking Authority on obstacles under Article 32(3) of the RTS on SCA and CSC, be interpreted so as to consider that interface implementations that require, in a redirection approach, Payment Initiation Services Providers (PISPs) to always transmit the payer’s IBAN to initiate a payment order, are an obstacle to the provision of payment initiation services because the payment service user is required to manually enter their IBAN while in the PISP’s domain? Should Article 32.3 of Regulation (EU) 2018/389 be interpreted identically where the interface implementations require Account Information Service Providers (AISPs) to always transmit the IBAN(s) of the account(s) to be accessed, therefore requiring the payment service user to manually enter their IBAN(s) while in the AISP’s domain?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_5763
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

On the access to safeguarding accounts through the Application Programming Interface (API)

Shall a safeguarding account of the e-money institution (EMI) or/and of the payment institution (EMI and PI) within the account servicing payment service provider (ASPSP) be considered as a payment account and therefore should be accessible (displayed) through the Application Programming Interface (API) of ASPSP?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_5755
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

“Triangular ” passport

Are “triangular” passports possible under the current legal framework governing the passporting rights among the EU Member States?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2017/2055 - RTS on passporting under PSD2
  • ID: 2021_5726
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Legal requirements for the authentication procedure when SCA exemptions are applied for remote payment transactions

What are the legal requirements for the type of authentication procedure used when conditions for the application of of Strong customer authentication (SCA) exemption for remote payment transactions are fulfilled?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5673
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/04/2021

Requirements towards SCA if association is done based on phone call

Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5650
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Delegation of 2-Factor Authentication (2FA) to PISP, AISP or other third party

Where a Payment Service Provider (PSP) is providing financial services via a third party application - either through a Payment Initiation Services Provider (PISP), Account Information Service Provider (AISP) or by providing embedded financial products or banking as a service solutions (i.e. financial services via an Application Programming Interface (API)) - is it permitted for the PSP to delegate the application of 2-Factor Authentication (2FA) to the third party?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5643
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Association with the payment service user by means of a remote channel

Is it sufficient to use a company level knowledge element, in combination with a peronal posession element to associate a user of a business application with personalised security credentials such as authentication software or a knowledge element?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5626
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Application of SCA to issuing a payment instrument and tokenisation

Is strong customer authentication (SCA) required when a Payment Service Provider (PSP) issues a payment instrument or creates a token?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5622
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 31/01/2023

Use of new technology for SCA

Is a Payment Services Provider (PSP) allowed to adopt innovative technologies for verifying Payment Services Users (PSUs) where the PSP maintains fraud levels below a certain threshold?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5621
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

Use of behavioural data for SCA

Can a Payment Service Provider (PSP) use behavioural data and auditable scores to apply Strong customer authentication (SCA) in a way that protects consumer privacy?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5620
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

Independence of the elements for SCA

Can a Payment Service Provider (PSP) apply Strong customer authentication (SCA) using elements from the same category provided that the elements are independent (i.e. breach of one does not compromise reliability of the other elements)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5619
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

Information to be provided by the PISP to the payer prior to the initiation of the transaction

Is it sufficient that the merchant makes available upon request by the payer (consumer) the information about the Payment Initiation Service Provider (PISP) in the Point of Interaction (POI) environment before the consumer presents their data (e.g., via a QR code) to meet the requirements of Articles 44 and 45, (2), PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5573
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 03/12/2021

Consumer explicit consent to the PISP for processing of personal data

Can the presentation by the consumer of its identification data to the merchant (e.g. CustomerID and IBAN through a QR code read by the Point of Interaction (POI)) be interpreted as the consumer providing explicit consent via the merchant to the usage of this data by a Payment Initiation Service Provider (PISP) that has a contractual relationship with the merchant (but not with the consumer) for the processing of data that will enable the initiation of a single (instant) credit transfer with the consumer’s Account Servicing Payment Service Provider (ASPSP), subject to sufficient information about this PISP made available beforehand to the consumer (in accordance with Articles 44 and 45 of PSD2)? Or is the explicit consent of the consumer to the PISP required by way of contract, as mentioned in section 3.2.1 of the EDPB Guidelines 06/2020 on the interplay of Directive 2015/2366/EU (PSD2) and the GDPR?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5570
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 03/12/2021

Bill-payment via postal service

Does bill-payment via snail-mail (postal service) fall into the definition of Article 97 1(c) and thus are subject to strong customer authentication (SCA) requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5534
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Perform SCA by reusing an element used in an authentication exempted from SCA

When an element is used to access the payment account online, in the case the Payment Service Provider (PSP) is allowed not to apply Strong Customer Authentication (SCA) (only applying a single-factor authentication : login + password), is it possible to reuse this element to perform SCA to authenticate a transaction ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5516
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Clarification of meanings 'transferring of funds' and 'another payment service provider’ in the context of article 10(1)(a) of PSD2

1) How to understand the meaning 'another payment service provider', specified in Article 10(1)(a) of PSD2? What is the definition of this meaning in the context of Article 10(1)(a) of PSD2? 2) How to understand the meaning ‘transferred to another payment service provider’, specified in Article 10(1)(a) of PSD2? In particular, is it possible to consider as 'transferred to another payment service provider' transferring of funds (which have been received by Payment service provider No. 1 from the payment service users or through another payment service provider for the execution of payment transactions) on payment account of the payment service provider No. 1, that is opened with Payment service provider No. 2? On what legal basis the transfer of funds must take place in order to be considered 'transferred to another payment service provider'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5502
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Payers right to make use of payment initiation service providers for all types of payment transactions

Shall payers be able to make use of payment initiation service providers for transmitting all types of credit-transfer based online payment orders from their payment accounts?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5498
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021