Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Application of the strong customer authentication (SCA) in case of refund

Does a refund, which is considered as an electronic payment transaction, be subject to  strong customer authentication (SCA)? Does a merchant that initiates a refund request be considered as a payer? If so, does a Payment service provider (PSP), that holds the payment account of a Merchant, have to set up SCA each time his Merchant is doing a refund from its payment account?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Account Data required by a ASPSP to execute a payment order via a PISP

In the context of Payment Initiation Service (PIS) where a Payment Service User (PSU) payment order is to be carried out, the Payment Initiation Service Provider (PISP) accesses the PSU e-banking account to require a payment. The PSU may: a) hold a single payment account to be debited or b) hold multiple payment accounts where only one of them is to be debited to finalize the payment order (in this case PSU has to select a payment account).With reference to both use cases and in the presence of an Account Servicing Payment Service Provider (ASPSP)’s dedicated interface, may the PSU be obliged to digit the IBAN of the account to be debited each time she/he initiates a transaction? Is the PISP always required to report the account number to be debited in the payment request or may this parameter be managed bilaterally among ASPSP and PSU (e.g.: default payment account, drop-down selection menu during the strong customer authentication (SCA) procedure, communication over Out-of-Band (OOB) channels, etc.)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Tokenised card details as a SCA possession element.

In relation to card tokenisation that can be used for the purposes of various payment solutions, does the token that is created from the card details qualify as a “possession element” according to the strong customer authentication (SCA) requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope of contingency mechanism

Should the interfaces – referred to in Article 33(4) of the RTS - be interpreted to include not only the internet banking interface of the account servicing payment service provider (ASPSP) but also its proprietary mobile banking interface?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

3 month notification period on interface changes to ASPSPs’ interfaces

Do account servicing payment service providers (ASPSPs) need to adhere to a 3 month notification period for all interface changes, or only for breaking interface changes, as specified in the RTS on on strong customer authentication (SCA) and secure communication (CSC) Article 30 Paragraph 4?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

The amount of a card payment transaction authorised online in HRK

Please clarify for card payment transactions authorised by the Payment Services User (PSU) in Member State A’s currency online on a web shop of an EU merchant that has an domain extension of Member State A, but that is not a Member State A merchant.The payment service provider is an EU acquirer (not from Member State A).The Member State A’s Payment Services Provider (PSP) issuing the payment card charges the PSU a different amount in Member State A’s currency (different from the amount that has been authorised).The difference between the original and charged amounts is caused by a currency conversion due to a card transactions settlement in another currency (EUR, USD, etc.) in the Payment Scheme.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Whitelisting

Will a clearing house for distribution be enabled to facilitate the on-going maintenance of the whitelisting process?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Intermediaries and Merchant-ID

In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed? If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Validity of SCA

If  Strong customer suthentication (SCA) is required at the time of booking which is more than 90 days before the guest’s arrival, will hotels be able to process the payment at location with an expired authentication token? If not, can an SCA be renewed and who would be responsible for doing so?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Consumer mandate under Merchant Initiated Transactions

Terms and Conditions to outline future charges (under Merchant Initiated Transactions (MITs)) may be disclosed by the booking entity (such as online travel agent or brand/hotel group) instead of the hotel merchant. Does the consumer acknowledgement of these terms through a party other than the merchant (in this case, the hotel) meet the MIT requirement? Will the merchant in this situation continue to be the hotel, instead of the intermediary?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Merchant Initiated Transactions exemption for hotel transactions

For the following scenarios, does digital acknowledgement by the consumer at time of booking that subsequent charges may be collected adequately meet the requirement for Merchant Initiated Transactions if SCA is also taken at time of booking:i. total room charges and applicable taxes disclosed to the consumer when a prepaid rate has been selected.ii. deposit amount disclosed to the consumer when the reservation requires payment of a deposit to guarantee the booked room and/or dates.iii. disclosed late cancellation or no-show fee incurred by the consumer if the consumer fails to cancel their reservation per the disclosed cancellation policy.iv. disclosed descriptions of types of charges that will be processed by the hotel merchant if incurred after payment for the stay has been settled. Examples include but are not limited to charge-to-room meals, spa treatments, retail purchases, mini-bar consumption identified by housekeeping and room damage.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Processing payments for hotel reservations

Can hotels continue to process payments for which strong customer authentication (SCA) has not been completed at the time of reservation, or for charges which do not become apparent until after the customer has departed the hotel and for which he/she may refuse to conclude a first or additional SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Keyed Mail Order or Telephone Order (MO-TO) transactions

In the hotel industry, if a consumer contacts the hotel directly to make a reservation, the hotel may need to manually key the payment details into their payment terminals. Does this qualify as a Mail Order or Telephone Order (MO-TO) transaction?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Treatment of electronic bookings similar to Mail Order and Telephone Orders (MO-TO) transactions

Would hotel use-cases, which include reservations taken by third parties (such as online travel agents or brand/hotel group) for the merchant and subsequent transactions (such as post-booking processing of prepaid rates or deposits, processing of cancellation/no-show fees, processing of post-checkout charges) fall under the scope of Mail Order and Telephone Orders (MO-TO) transactions and are they therefore excluded from the strong customer authentication (SCA) requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions

Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Delayed or deferred PIN for wearable devices

Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

More than one transaction from a single consumer initiated transaction

When a consumer elects to add an additional item to their purchase at the time of checkout (a cross sale) they are making two purchases from two different merchants in a single session. Is SCA required for both of these transactions? This would make the user experience very clumsy and awkward as the consumer would have to go through SCA twice in a row during a single checkout.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Requirement for credit institutions and electronic money institutions wishing to offer PIS and AIS to take out professional indemnity insurance or a comparable guarantee / Obbligo di dotarsi di un'assicurazione per la responsabilità civile o analoga garanzia, per gli Enti creditizi o Istituti di moneta elettronica che vogliono offrire i servizi di PIS e AIS

Can an electronic money institution or a credit institution wishing to offer Payment Initiation Service (PIS) and Account information service (AIS) consider its own funds to be a guarantee that is comparable to professional indemnity insurance (PII)?***IT:   Un Istituto di Moneta elettronica o un Ente creditizio che vuole offrire i servizi di PIS e AIS, può considerare i fondi propri come analoga garanzia rispetto all’assicurazione per la responsabilità civile professionale? 

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance

Authorisation for the provision of PIS and AIS on behalf of other legal entities belonging to the same corporate group / Autorizzazione ad offrire servizi di PIS e AIS per conto di altre Legal Entity appartenenti allo stesso Gruppo societario

In a corporate group which is not listed in the register of banking groups and in which there is both an electronic money institution and a credit institution, can the electronic money institution offer payment initiation services (PIS) and account information services (AIS), including on behalf of the group’s credit institution that also provides the same service? Must the electronic money institution as a service provider offering PIS and AIS to clients of the group’s credit institution provide its own certificate, the group certificate, or the credit institution’s certificate to the other account servicing payment service providers (ASPSPs)? Or, as it is merely a service provider, is it the credit institution’s certificate that should be displayed? Can a corporate group request a group certificate to provide to the other ASPSPs and/or third party providers (TPPs)? *** IT:  In un Gruppo societario, che non è iscritto al registro dei Gruppi Bancari e al cui interno sono presenti sia un Istituto di moneta elettronica che un Ente creditizio, l’Istituto di moneta elettronica può offrire i servizi di PIS e AIS, anche per conto dell’Ente creditizio del Gruppo in qualità di fornitore del servizio stesso? L’Istituto di moneta elettronica che offre i servizi di PIS e AIS ai clienti dell’Ente creditizio di Gruppo, in qualità di fornitore del servizio, si deve presentare verso gli altri ASPSP con il proprio certificato, con il certificato di Gruppo oppure con il certificato dell’Ente creditizio? O in quanto mero fornitore del servizio, il certificato da esporre è quello dell’Ente creditizio? Un Gruppo societario può richiedere un certificato di Gruppo per presentarsi alle altre ASPSP e/o TPP?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre