Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Compliance with SCA in offline mode on an aircraft without internet connection

How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4740
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/12/2019

AISPs and scope of application AML requirements

1. To what extend do AISPs need to comply with the obligations in relation to anti-money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament? 2. Is a requirement for AISPs on the basis of national law and national supervisory practices to submit to the competent supervisor a description of the internal control mechanisms with regard to AML regulations compliant with PSD2 and EBA’s Guidelines on Guidelines on authorisation and registration under PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4712
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 11/03/2022

Report of fraud rates by issuers and acquirers

For card-based transactions: - When the issuer reports frauds under the EBA Guidelines on fraud reporting (EBA/GL/2018/05), shall the issuer provide information on the unauthorised transactions for which the acquirer has applied an exemption? If so, shall the issuer provide a break-down according to the different exemptions applied by the acquirer?- When the acquirer reports frauds under the EBA Guidelines on fraud reporting, shall the acquirer provide information on the unauthorised transactions for which the issuer has applied an exemption? If so, shall the acquirer provide a break-down according to the different exemptions applied by the issuer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
  • ID: 2019_4703
  • Topic: Fraud reporting
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Transaction risk analysis (TRA) exemption – Calculation of fraud rate – Impact of unauthorized transactions on issuers and acquirers

In the case of card-based transactions, shall issuers include in their fraud rate calculation only the unauthorized transactions for which they apply strong customer authentication (SCA) or an exemption?  Or, shall issuers also include unauthorised transactions for which the acquirer applies an exemption?Shall acquirers include in their fraud rate calculation only the unauthorised transactions for which they apply an exemption?  Or shall acquirers also include unauthorised transactions for which the issuer applies an exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4702
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/07/2020

Scope of the corporate SCA exemption.

Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4693
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/06/2019

What is considered as a dedicated interface

Payment Service Users (PSUs) communicate with an account servicing payment service provider (ASPSP) via Web using HTTP while mobile PSUs and Third Party Providers (TPPs) via REST Application Programming Interfaces (APIs) but in all cases the processing is done by the same back-end server using the same credentials, authorisations and business logic. In the case of mobile and TPP channels, the APIs are similar and are exposed from the same ASPSP’s gateway. Any issue in the back-end server will result in downtime for all channels. Clarification is required whether this solution is considered as a dedicated interface or not.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4681
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/08/2019

"Authorisation number" in eIDAS certificates

There are two possible interpretations of the Regulation (EU) 2018/389 (RTS) Article 34 paragraph (2) in the case of payment service providers registered in Member State “A”:1) The authorisation number is the number of the resolution of the NCA (or its predecessor in title) authorising the provision of payment services for the specific PSP, which is not the same as the Registration number appearing in the NCA’s public register.2) The authorisation number is the Registration number appearing in the NCA’s public register (which is a reference number formed based on the VAT number).Please clarify whether interpretation 2) above is in line with the requirements of the RTS? Please clarify whether the 8-digit Registration number (based on the VAT number) appearing in the NCA’s public register, and appearing as “National Identification Number” in the EBA PSD2 register or as “National Reference” in the EBA credit institution register can be used as the “authorisation number” in eIDAS certificates?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4679
  • Topic: Central register of the EBA
  • Date of submission:
  • Published as final Q&A: 14/06/2019

Compliance of (1) card data (2) SMS OTP and (3) EMV 3DS behaviour-based inherence as an authentication information with the requirements of PSD2 and RTS on SCA

Could the use of (1) card data (2) SMS One Time Password (OTP) and (3) Europay, MasterCard, Visa (EMV) 3-D secure (3DS) behaviour-based inherence information as an authentication solution be considered compliant with the PSD2 and RTS on strong customer authentication and secure communication requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4671
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/03/2021

Applicability of SCA to electronically processed SEPA Direct Debits / Interpretation of EBA Q&A 2018_4359

Are mandates for direct debits which are set up without direct involvement of the payer’s PSP subject to SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4664
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 07/06/2019

Define what is “given period of time”

What constitutes a “given period of time” as expressed in Article 4.3 (b) of the RTS on strong customer authentication and secure communication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4662
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Inclusion of time taken for SCA in the performance KPI

Does the Key Performance Indicator (KPI) for the performance of the dedicated interface include the time taken for conducting Strong Customer Authentication (SCA)? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4661
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 09/08/2019

Relying on vendor mechanisms processing the biometric data for strong customer authentication; Multiple fingerprint samples stored on a mobile device and used for purpose of user authentication.

Are the obligations of a payment service provider (PSP) laid down in the Article 8 of RTS on strong customer authentication and secure communication fulfilled in case the biometric credentials of customer are stored at the device level and the strong customer authentication itself is processed by the mobile device? In this context, are the obligations of the PSP laid down in Article 8 and 24 of RTS on Strong Customer Authentication fulfilled in case the mobile device stores multiple fingerprint samples for user authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4651
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/09/2020

EBA register providing a list of third party providers (TPPs)

1° Does the EBA register under PSD2 provide a list of third party providers (TPPs)?2° If yes :2.1 Could you provide a procedure to get a TPP list?2.2 Should we filter on services 5 (Payment Initiation Service Provider (PISP) / Card Based Payment Instrument Issuer (CBPII) use case), 7 Account Information Service Provider (AISP) and 8 Payment Initiation Service Provider (PISP) to get the complete list of TPP?2.3 Agents can also provide services 5a, 7 and 8: In the downloadable JSON file, it is possible to find agents who are mandated by PSPs; however, the services offered by these agents are not indicated. Are the agents mandated by a PSP providing services 5A, 7 and 8 to be included in the TPP list?2.4 is the registry downloadable automatically? If yes, how?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/411 - RTS on EBA register under PSD2
  • ID: 2019_4650
  • Topic: Central register of the EBA
  • Date of submission:
  • Published as final Q&A: 19/06/2020

Wide usage portability between Member States

Could three months’ data, showing wide usage of the dedicated interface, produced in one Member State by a regulated entity (ASPSP) belonging to an ASPSP Group, be used as evidence to support the ‘widely used’ condition in a further Member State for a separate regulated entity (ASPSP) belonging to the same ASPSP Group, on the condition that both entities employ the same dedicated interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389
  • ID: 2019_4638
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Separation of factors for strong customer authentication

If a mobile phone has two different e-banking apps on it, one for the banking agendas (a banking app where payments are initiated by entering password, possibly in combination with OTPs) and one for receiving the SMS OTPs (authorization app),would this scenario fulfill the PSD2 requirements of sufficient separation of both factors (since both factors reside on the same smartphone, but in different apps)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4637
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/06/2020

TPP access only with PSU involvement

Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4631
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/03/2021

Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389

Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4630
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)

How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4609
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/03/2019

Scope - Limited network exclusion

Is there a geographical limitation with regard to a limited network of service providers?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4604
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 21/01/2022