Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Payment Initiation Scope and Trusted Beneficiaries

Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5135
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Dynamic linking: transactions for which the final amount is unknown and may be lower or higher than authenticated amount

For remote card transactions, is it acceptable that there are legitimate cases where the final amount may be lower or higher than the amount authenticated by the cardholder?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5133
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/05/2020

SCA for staff assisted electronic channel

Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5124
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/01/2022

Using Trusted Beneficiary Lists to Auto Reject PISP Transactions

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5115
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 15/01/2021

Collection of fees for utilities or other regular services

Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are transferred to the payees (service providers) in individual transfers, without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, but the Company has contracts with the payees for accepting the transfers, constitute the provision of money remittance service as it is defined in Article 4(22) PSD2?Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are being aggregated and then transferred to the payee (service provider), without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, constitute the provision of money remittance service to the payer and acquiring of payment transactions service to the payee, as money remittance and acquiring of payment transactions are defined in Article 4(22) and (44) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5099
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Reporting of e-commerce card-based payment transactions falling within the scope of EBA Opinion EBA-Op-2019-06 for which no strong customer authentication was applied

Should e-commerce card-based payment transactions – falling within the scope of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and for which no strong customer authentication was applied – be reported under the higher-level category “Of which authenticated via non-strong customer authentication”?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2020_5070
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Data breakdown on fraud by different card functions for cash withdrawals

Does the breakdown on “card payments by fraud types” in Table E of the EBA Guidelines on fraud reporting under PSD2 refer only to cards with a credit/delayed debit function?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5056
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Contingency Measures under Article 33

Does fallback access to a secondary instance of the dedicated interface in a different data center with dedicated resources, provide an acceptable strategy and plan for the contingency mechanism?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_5054
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

Recording of card payments

If a card has both an e-money and non e-money function, how should a payment be recorded? Should the recording be different based on the type of the reporting institution (for example, depending on whether is an electronic money institution (EMI) or a bank)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5046
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Card payments - acquirer

If an acquirer is not able to distinguish whether a card used for a payment is a card with an e-money function, is the acquirer required to report transactions with such cards under the EBA Guidelines on fraud reporting, and if so, under what breakdown?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5045
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 09/04/2021

Recording of e-money

If a card issued by an E-money institution has a cash function, how should the cash withdrawal from that card be recorded? Should it be recorded on the debit card withdrawal, as the E-money breakdown section does not include a cash withdrawal category?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5044
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Direct debts fraud reporting

In relation to the direct debits fraud, please clarify the reporting criteria for direct debit fraud.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5043
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Reporting of PISP transactions

Should payment initiation service provider (PISP) initiated payments be reported under both Table A (1.1) and Table H (8.x)? More specifically how should these transactions be reported where the customer initiates a payment via a PISP, from their bank account, to one of their payees flagged in the bank’s online channel as “trusted beneficiaries” (Article 13 of the RTS on SCA&CSC).

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5042
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Reporting of PISP initiated payments

Is there a requirement to segregate the Payment Initiation Service Provider (PISP) initiated payments which were executed without Strong customer authentication (SCA), by the relevant availed exemption used? Or are PISP initiated payments, only required to be presented in Bulk (Value, Volume, SCA/Non-SCA)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5041
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Reporting of fraud by the acquirers

Regarding the fraud definition, could you please clarify how the following fraud examples should be classified by the acquirers

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5039
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Online foreign exchange

Does the business of foreign currency exchange-Forex require an authorisation as payment institution under PSD2, provided that: (a) the currency exchange takes place via online exchange platform; and (b) the client deposits certain base in cash or sends it by bank transfer to a bank account of the Forex company; and (c) the client receives the quote (exchanged) currency in an online client account in the platform from where the exchanged amount may be sent to a client's bank account or may be withdrawn in cash at the Forex company's offices?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_5019
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Losses due to fraud per liability bearer / Perdite dovute a frode per portatore di responsabilità

Please clarify the requirement in guideline 1.6 (b) of the EBA Guidelines on fraud reporting under PSD2 with regard to recognising losses due to fraud per liability bearer. *** IT: Si chiede cortesemente di chiarire il requisito espresso all'interno dell'orientamento 1.6(b) in materie di obblighi di segnalazione delle perdite dovute a frode per portatore di responsabilità

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_5008
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 25/09/2020

"Push based" authentication and SCA requirements

Does "push based" authentication fall in the Strong customer authentication (SCA) requirements, based on the security risks "push authentication" poses?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4984
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020

Services offered by means of ATM by providers

Which is the appropriate payment service for ATM withdrawals, where the ATM provider is required to be authorised but is acting on behalf of one or more card issuers, which are not a party to the framework contract with the customer withdrawing money from a payment account? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4982
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

SCA for contactless payments at a POS executed via a mobile device

1) Can we consider the strong customer authentication (SCA) outsourced from the issuer of cards to the payer? 2) Is it necessary for the issuer of the cards to perform SCA based on the elements of identification that are beyond its control?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4937
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020