Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As (263)Q&As under review (11)Rejected Q&As (24)Archived Q&As (0)All Q&As (298)

List of Q&A's

On the requirements for 'inherence' in strong customer authentication (SCA)

Do the elements required for ‘inherence’ in strong customer authentication (SCA) provide the complete authentication or can they form a part of an authentication decision with some non-biometric elements and still satisfy the inherence condition, for example, as one element of a user profile of several elements. For example, if the biometric, say keystroke dynamics, provides 50% of the decision and other characteristics (e.g. device data, location data) provide the other 50%, does this satisfy the requirement for inherence assuming the condition for 'very low probability of unauthorised access' is also satisfied and that another SCA condition, 'knowledge' or 'possession' is also satisfied? if so, is there a threshold, say 50%, below which it ceases to qualify as 'inherence'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5353
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

How to use bank guarantees instead of PII

Is it acceptable to use third party (other than credit institutions) commitments that are covered by a guarantee from a credit institution as a comparable guarantee instead of professional indemnity insurance (PII)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance
  • ID: 2020_5335
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:
  • Published as final Q&A: 09/04/2021

Alternative strong customer authentication for citizens without mobile

Why does the PSD2 allow banks to deny the access to the electronic financial services to customers without a mobile but with a PC?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5325
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Mount unattended contactless device on general goods vending machines

With the limits described in Articles 11 and 16 of the Regulatory Technical Standards on strong customer authentication and secure communication under Directive 2015/2366/EU (PSD2), could a vendor mount an unattended "contactless only" device without pinpad on a general goods vending machine?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5288
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/03/2022

Safeguarding

Are payment institutions able to simultaneously adopt different safeguarding methods with respect to funds held?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5264
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Access to account for FinTech Solutions that incorporate regulated services

Do FinTech companies offer payment accounts by their use of regulated services as part of their offering and are they therefore required to provide access to accounts to Third Party Providers (TPPs)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5249
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 18/03/2022

Clarification of remote payment for dynamic linking

Is a SEPA Credit Transfer (SCT) transaction, whereby a user mobile phone interacts locally via Near Field Communication (NFC) with a merchant payment terminal to initiate the SCT transaction, whereby the user mobile phone does not communicate remotely over a mobile network for this purpose but whereby the payment terminal connects on-line to a payment system and handles the required strong customer authentication (SCA) through this on-line channel, considered an electronic remote payment transaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5247
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 13/04/2022

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5224
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Money Remittance

Where an entity accepts payment on behalf of a payee (such as a debt collector and the debt due to the payee is extinguished upon receipt of payment by the debt collector), is it correct to say that this does not constitute Money Remittance? (i.e. there is no need to rely on the commercial agency exemption since there is no payment service being provided). In addition, if there is no Money Remittance in this situation, can the same be said if the entity receives money into one account then pays these monies to a second account in its name,before transferring the money to the relevant payee? If this is Money Remittance, can the commercial agency exemption be relied on where an entity receives monies but then transfers them to another account held by it before then transferring to the relevant payee?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5216
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 18/03/2022

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call? 2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5215
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/11/2021

Obstacles to the payment initiation service

Can the impossibility for a Third Party Provider (TPP) to add new beneficiaries for payment initiation, coupled with the impossibility to initiate payments for unregistered beneficiaries, be considered as an obstacle? Besides, as a subsequent question, are delays up to 48 hours in the registration of new beneficiaries an obstacle?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5184
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/03/2021

Acquisition and money remittance payment service

Can a payment institution (PI) which provides a payment service of acquiring of payment transactions for its users can provide this service without holding payment account.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5181
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 18/03/2022

Individual's name to return in AISP/PISP calls

Is the name returned in an Account Information Service Provider (AISP) / Payment Initiation Service Provider (PISP) call expected to be that of the Payment Service User (PSU) who has initiated the transaction with the Third Party Provide (TPP), or of the actual account owner/holder?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5165
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 18/03/2022

Payment Initiation Scope and Trusted Beneficiaries

Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5135
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Dynamic linking: transactions for which the final amount is unknown and may be lower or higher than authenticated amount

For remote card transactions, is it acceptable that there are legitimate cases where the final amount may be lower or higher than the amount authenticated by the cardholder?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5133
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/05/2020

SCA for staff assisted electronic channel

Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5124
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/01/2022

Using Trusted Beneficiary Lists to Auto Reject PISP Transactions

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5115
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Collection of fees for utilities or other regular services

Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are transferred to the payees (service providers) in individual transfers, without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, but the Company has contracts with the payees for accepting the transfers, constitute the provision of money remittance service as it is defined in Article 4(22) PSD2?Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are being aggregated and then transferred to the payee (service provider), without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, constitute the provision of money remittance service to the payer and acquiring of payment transactions service to the payee, as money remittance and acquiring of payment transactions are defined in Article 4(22) and (44) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5099
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Reporting of e-commerce card-based payment transactions falling within the scope of EBA Opinion EBA-Op-2019-06 for which no strong customer authentication was applied

Should e-commerce card-based payment transactions – falling within the scope of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and for which no strong customer authentication was applied – be reported under the higher-level category “Of which authenticated via non-strong customer authentication”?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2020_5070
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Data breakdown on fraud by different card functions for cash withdrawals

Does the breakdown on “card payments by fraud types” in Table E of the EBA Guidelines on fraud reporting under PSD2 refer only to cards with a credit/delayed debit function?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5056
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020