Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

List of Q&A's

EBA register providing a list of third party providers (TPPs)

1° Does the EBA register under PSD2 provide a list of third party providers (TPPs)?2° If yes :2.1 Could you provide a procedure to get a TPP list?2.2 Should we filter on services 5 (Payment Initiation Service Provider (PISP) / Card Based Payment Instrument Issuer (CBPII) use case), 7 Account Information Service Provider (AISP) and 8 Payment Initiation Service Provider (PISP) to get the complete list of TPP?2.3 Agents can also provide services 5a, 7 and 8: In the downloadable JSON file, it is possible to find agents who are mandated by PSPs; however, the services offered by these agents are not indicated. Are the agents mandated by a PSP providing services 5A, 7 and 8 to be included in the TPP list?2.4 is the registry downloadable automatically? If yes, how?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/411 - RTS on EBA register under PSD2

Wide usage portability between Member States

Could three months’ data, showing wide usage of the dedicated interface, produced in one Member State by a regulated entity (ASPSP) belonging to an ASPSP Group, be used as evidence to support the ‘widely used’ condition in a further Member State for a separate regulated entity (ASPSP) belonging to the same ASPSP Group, on the condition that both entities employ the same dedicated interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389

Separation of factors for strong customer authentication

If a mobile phone has two different e-banking apps on it, one for the banking agendas (a banking app where payments are initiated by entering password, possibly in combination with OTPs) and one for receiving the SMS OTPs (authorization app),would this scenario fulfill the PSD2 requirements of sufficient separation of both factors (since both factors reside on the same smartphone, but in different apps)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

TPP access only with PSU involvement

Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389

Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)

How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope - Limited network exclusion

Is there a geographical limitation with regard to a limited network of service providers?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ASPSP providing updated payment status to PISP

Are account servicing payment service providers (ASPSPs) required to provide information on the initiation and execution of the payment transaction, including updates, in order for a payment initiation service provider (PISP) to comply with Article 46(a) PSD2 and pursuant to Article 36(1)(b) RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Definition of an electronic remote payment transaction

What are the demarcation criteria of the term „remote payment transaction“, which is an essential term in the RTS on SCA and CSC?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Please clarify  whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Surcharging

Is a ‘foreign exchange margin’ or 'currency conversion fee'  different from a ‘surcharge’ and do different foreign exchange margins above the ECB mid-market rate not constitute a surcharge?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Immediate Refund by the Payment Service Provider of unauthorised SEPA Direct Debit transactions after 8 weeks.

Our question is related to ‘unauthorised’ transactions, and as from when it is qualified as unauthorised? Is this as soon as any payment service user claims that the transaction is unauthorised?   -Or is this as soon as the payment service provider analysed if the transaction is really unauthorised?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Exemptions from Strong Customer Authentication (SCA): credit transfers

Can the exemption under Article 15 of the RTS on SCA be applied to credit transfers between a personal account and a business account held by the same person.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

SCA profiles and multiple-use of devices

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Definition of payee for dynamic linking

Article 5 of the RTS on strong customer authentication and secure communication requires the authentication code to be specific to the amount of the payment transaction and the payee.Does it suffice to include a meaningful part of the identifier into the calculation of the authentication code? For instance, would it suffice to include only numeric characters of the IBAN in the calculation of the authentication code?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Insurance policy on minimum monetary amount of the professional indemnity insurance of PSD2

If an e-money payment institution (for the purpose of new PSD2 services - Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP) in line with insurance industry standards signed an insurance policy with insurance company for several thousand/million euros with franchise deductible (e.g. in the amount of 25k EUR), fulfills adequate capital requirements and is being regularly monitored by the regulator (local central bank), does the above mentioned insurance policy violate guidelines rule that the insurance policy should not have any excess, deductible or any threshold that could prejudice repayments or do we understand it correctly that such insurance policy does not in any case prejudice that potential refunds requests will not be refunded and it as such fulfills guideline requirements? We understand that such insurance does not prejudice any repayments.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance

Strong Customer Authentication (SCA) possession element requirement for cryptographic validation

For a device to be considered possession:-a) should the device perform "cryptographically underpinned validity assertions using keys or cryptographic material stored in" the device?b) should the device be in the physical possession of the  Payment Service User (PSU)? I.e. it cannot be held and operated remotely.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Content of eIDAS certificates if agents or outsource providers are involved

Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Revocation of future dated Payment Initiation Services (PIS) payments

Is the Bank (an ‘Account Servicing Payment Service Provider’(ASPSP)) prohibited under PSD2 from acting on the following unsolicited customer instruction:- Customer asks their Bank to cancel a future-dated payment, or a series of recurring future-dated payments - where the original consent for the payment(s) was given by the customer to a Payment Initiation Services Provider (PISP).In this scenario, is the Bank required to advise the customer that the Bank cannot accept the customer’s instruction to revoke these future payments; and that only a revocation instruction received via the PISP can be accepted by the Bank?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Strong customer authentication requirement on pay-by-invoice payment transactions

Does Article 97(1)(b) PSD2 apply for pay-by-invoice when the payer's funds are covered by a credit line extended by a payment service provider?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable