Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

List of Q&A's

ASPSP providing updated payment status to PISP

Are account servicing payment service providers (ASPSPs) required to provide information on the initiation and execution of the payment transaction, including updates, in order for a payment initiation service provider (PISP) to comply with Article 46(a) PSD2 and pursuant to Article 36(1)(b) RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Definition of an electronic remote payment transaction

What are the demarcation criteria of the term „remote payment transaction“, which is an essential term in the RTS on SCA and CSC?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Please clarify  whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Surcharging

Is a ‘foreign exchange margin’ or 'currency conversion fee'  different from a ‘surcharge’ and do different foreign exchange margins above the ECB mid-market rate not constitute a surcharge?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Immediate Refund by the Payment Service Provider of unauthorised SEPA Direct Debit transactions after 8 weeks.

Our question is related to ‘unauthorised’ transactions, and as from when it is qualified as unauthorised? Is this as soon as any payment service user claims that the transaction is unauthorised?   -Or is this as soon as the payment service provider analysed if the transaction is really unauthorised?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Exemptions from Strong Customer Authentication (SCA): credit transfers

Can the exemption under Article 15 of the RTS on SCA be applied to credit transfers between a personal account and a business account held by the same person.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

SCA profiles and multiple-use of devices

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Definition of payee for dynamic linking

Article 5 of the RTS on strong customer authentication and secure communication requires the authentication code to be specific to the amount of the payment transaction and the payee.Does it suffice to include a meaningful part of the identifier into the calculation of the authentication code? For instance, would it suffice to include only numeric characters of the IBAN in the calculation of the authentication code?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Insurance policy on minimum monetary amount of the professional indemnity insurance of PSD2

If an e-money payment institution (for the purpose of new PSD2 services - Payment Initiation Service Provider (PISP) and Account Information Service Provider (AISP) in line with insurance industry standards signed an insurance policy with insurance company for several thousand/million euros with franchise deductible (e.g. in the amount of 25k EUR), fulfills adequate capital requirements and is being regularly monitored by the regulator (local central bank), does the above mentioned insurance policy violate guidelines rule that the insurance policy should not have any excess, deductible or any threshold that could prejudice repayments or do we understand it correctly that such insurance policy does not in any case prejudice that potential refunds requests will not be refunded and it as such fulfills guideline requirements? We understand that such insurance does not prejudice any repayments.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance

Strong Customer Authentication (SCA) possession element requirement for cryptographic validation

For a device to be considered possession:-a) should the device perform "cryptographically underpinned validity assertions using keys or cryptographic material stored in" the device?b) should the device be in the physical possession of the  Payment Service User (PSU)? I.e. it cannot be held and operated remotely.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Content of eIDAS certificates if agents or outsource providers are involved

Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Revocation of future dated Payment Initiation Services (PIS) payments

Is the Bank (an ‘Account Servicing Payment Service Provider’(ASPSP)) prohibited under PSD2 from acting on the following unsolicited customer instruction:- Customer asks their Bank to cancel a future-dated payment, or a series of recurring future-dated payments - where the original consent for the payment(s) was given by the customer to a Payment Initiation Services Provider (PISP).In this scenario, is the Bank required to advise the customer that the Bank cannot accept the customer’s instruction to revoke these future payments; and that only a revocation instruction received via the PISP can be accepted by the Bank?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Strong customer authentication requirement on pay-by-invoice payment transactions

Does Article 97(1)(b) PSD2 apply for pay-by-invoice when the payer's funds are covered by a credit line extended by a payment service provider?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Unattended terminals and Transaction Risk Analysis (TRA) exemption and related Payment Service Providers (PSP)’s liabilities rules

Provided that both the payer’s Payment Service Provider (PSP) and the payee’s PSP can apply the strong customer authentication (SCA) exemption, without prejudice to the last say of the payer’s PSP, can a payment made at highway toll booths be treated as the one performed at the unattended terminals for transport fares?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Potential inconsistency on the application of Strong Customer Authentication exemptions to AISPs

Shall Account Servicing Payment Service Providers (ASPSPs) always grant Account Information Service Provider (AISPs) to be exempted from Strong Customer Authentication (SCA) according to rules defined in Article 10 of the RTS on strong customer authentication and secure communication (Delegated Regulation (EU) 2018/389), or is the final decision to apply such exemption always up to the ASPSP?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Revocation / Invalidation of SCA proof before execution date

In order for a payment instruction to be regarded as 'authorised', is the Account Servicing Payment Service Provider (ASPSP) obliged to verify the strong customer authentication (SCA) proof immediately prior to the execution of each future dated payment instruction? If the ASPSP fails to re-verify the SCA proof, can the ASPSP hold the payer liable in the event of fraud?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Dynamic Linking for batch payments

With regards to dynamic linking for a batch of remote electronic payments, should the authentication code be linked to each and every IBAN of all the beneficiaries in a batch file?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Passporting and eIDAS certificates

Do account servicing payment service providers (ASPSPs) have to check that third party providers (TPPs) are authorised to operate in their Member State via freedom to deliver services passporting? If so, how shall this be done?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Application of the Low Value Transaction Limits

Should the limits according the Article 16 RTS be applied to the account itself (account holder and authorized persons together) or should they be applied to the account holder (owner) and each authorized person (i.e. proxy of account holder) separately? Subsequently should the limits be applied to all remote payment transactions together or should e.g. card transactions and credit transfers be counted separately. Also should the limit be applied to all cards belonging to one person together or should the limit be applied to each card separately?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication