Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Safeguarding requirements

Are transactions where both the payer and the payee are outside the EEA (e.g. a transfer between China and Hong Kong) outside the scope of the safeguarding requirements or not?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4921
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Interpretation of payment instrument

What devices or procedures can be considered as payment instrument as per Art. 4(14) of PSD2.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4919
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Authentication code

Is an extra strong customer authentication (SCA) required, after logging in (with or without SCA) in the mobile application, to initiate the provisioning step to add the customers card to a third party wallet (e.g. Apple or Google pay)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4910
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020

Failed Authentication Code

Please clarify under what circumstances Article 4 Paragraph 3(a) of the Regulation (EU) 2018/389 – RTS on SCA and SC might it be impossible to apply in remote authentication where SMS based One time passwords (OTPs) are used as the authentication method.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4875
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020

Roles that can be assigned to electronic money institutions in certificates

Please clarify which roles may be assigned to electronic money institutions (EU 2015/2366 Art 1(1) b) by qualified trust service providers (QTSPs) in the certificates. There seems to be some contradiction between EU 2015/2366 Art 11(1) and the EBA Opinion on the use of eIDAS certificates under the RTS on SCA and CSC (EBA-Op-2018-7) item 26.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4874
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Reporting of card transactions that are out-of-scope from the requirement for SCA

In the Fraud Reporting, how should payment service providers (PSPs) report card transactions without Strong Customer Authentication (SCA) that are out of scope of the requirement for SCA, i.e. one-leg transactions and merchant-initiated transaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4866
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Type of accounts accessible through common and secure communication

Should credit lines (namely “credit cards accounts”), accessible online, be available to Account Information Service Provider (AISP), Payment Initiation Service Provider (PISP) and Card Based Payment Instrument Issuer (CBPII)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4856
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Application of the strong customer authentication (SCA) in case of refund

Does a refund, which is considered as an electronic payment transaction, be subject to  strong customer authentication (SCA)? Does a merchant that initiates a refund request be considered as a payer? If so, does a Payment service provider (PSP), that holds the payment account of a Merchant, have to set up SCA each time his Merchant is doing a refund from its payment account?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4855
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 23/04/2021

Account Data required by a ASPSP to execute a payment order via a PISP

In the context of Payment Initiation Service (PIS) where a Payment Service User (PSU) payment order is to be carried out, the Payment Initiation Service Provider (PISP) accesses the PSU e-banking account to require a payment. The PSU may: a) hold a single payment account to be debited or b) hold multiple payment accounts where only one of them is to be debited to finalize the payment order (in this case PSU has to select a payment account).With reference to both use cases and in the presence of an Account Servicing Payment Service Provider (ASPSP)’s dedicated interface, may the PSU be obliged to digit the IBAN of the account to be debited each time she/he initiates a transaction? Is the PISP always required to report the account number to be debited in the payment request or may this parameter be managed bilaterally among ASPSP and PSU (e.g.: default payment account, drop-down selection menu during the strong customer authentication (SCA) procedure, communication over Out-of-Band (OOB) channels, etc.)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4854
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/03/2021

Tokenised card details as a SCA possession element.

In relation to card tokenisation that can be used for the purposes of various payment solutions, does the token that is created from the card details qualify as a “possession element” according to the strong customer authentication (SCA) requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4827
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/08/2020

Scope of contingency mechanism

Should the interfaces – referred to in Article 33(4) of the RTS - be interpreted to include not only the internet banking interface of the account servicing payment service provider (ASPSP) but also its proprietary mobile banking interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4826
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

3 month notification period on interface changes to ASPSPs’ interfaces

Do account servicing payment service providers (ASPSPs) need to adhere to a 3 month notification period for all interface changes, or only for breaking interface changes, as specified in the RTS on on strong customer authentication (SCA) and secure communication (CSC) Article 30 Paragraph 4?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4823
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 11/10/2019

The amount of a card payment transaction authorised online in HRK

Please clarify for card payment transactions authorised by the Payment Services User (PSU) in Member State A’s currency online on a web shop of an EU merchant that has an domain extension of Member State A, but that is not a Member State A merchant.The payment service provider is an EU acquirer (not from Member State A).The Member State A’s Payment Services Provider (PSP) issuing the payment card charges the PSU a different amount in Member State A’s currency (different from the amount that has been authorised).The difference between the original and charged amounts is caused by a currency conversion due to a card transactions settlement in another currency (EUR, USD, etc.) in the Payment Scheme.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4811
  • Topic: Other topics
  • Date of submission:
  • Published as Rejected Q&A: 11/02/2022

Whitelisting

Will a clearing house for distribution be enabled to facilitate the on-going maintenance of the whitelisting process?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4800
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020

Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4797
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/11/2021

Intermediaries and Merchant-ID

In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed? If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4796
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Validity of SCA

If  Strong customer suthentication (SCA) is required at the time of booking which is more than 90 days before the guest’s arrival, will hotels be able to process the payment at location with an expired authentication token? If not, can an SCA be renewed and who would be responsible for doing so?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4795
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Consumer mandate under Merchant Initiated Transactions

Terms and Conditions to outline future charges (under Merchant Initiated Transactions (MITs)) may be disclosed by the booking entity (such as online travel agent or brand/hotel group) instead of the hotel merchant. Does the consumer acknowledgement of these terms through a party other than the merchant (in this case, the hotel) meet the MIT requirement? Will the merchant in this situation continue to be the hotel, instead of the intermediary?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4794
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Merchant Initiated Transactions exemption for hotel transactions

For the following scenarios, does digital acknowledgement by the consumer at time of booking that subsequent charges may be collected adequately meet the requirement for Merchant Initiated Transactions if SCA is also taken at time of booking:i. total room charges and applicable taxes disclosed to the consumer when a prepaid rate has been selected.ii. deposit amount disclosed to the consumer when the reservation requires payment of a deposit to guarantee the booked room and/or dates.iii. disclosed late cancellation or no-show fee incurred by the consumer if the consumer fails to cancel their reservation per the disclosed cancellation policy.iv. disclosed descriptions of types of charges that will be processed by the hotel merchant if incurred after payment for the stay has been settled. Examples include but are not limited to charge-to-room meals, spa treatments, retail purchases, mini-bar consumption identified by housekeeping and room damage.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4792
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021

Processing payments for hotel reservations

Can hotels continue to process payments for which strong customer authentication (SCA) has not been completed at the time of reservation, or for charges which do not become apparent until after the customer has departed the hotel and for which he/she may refuse to conclude a first or additional SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4791
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/03/2021