Search for Q&As Submit a question

List of Q&As

Perform SCA by reusing an element used in an authentication exempted from SCA

When an element is used to access the payment account online, in the case the Payment Service Provider (PSP) is allowed not to apply Strong Customer Authentication (SCA) (only applying a single-factor authentication : login + password), is it possible to reuse this element to perform SCA to authenticate a transaction ?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5516| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 25/09/2020

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5224| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 29/04/2020

Payment Initiation Scope and Trusted Beneficiaries

Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5135| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 18/02/2020

Using Trusted Beneficiary Lists to Auto Reject PISP Transactions

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5115| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 10/02/2020

Strong Authentication

Is one time passcode (OTP) Mail considered as a "Strong Customer Authentication" under Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4315| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 08/10/2018

Ability of static card data to be considered a possession factor?

Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4235| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 06/09/2018

SMS OTP and credit card as a two authentication factor

Can we consider Credit card and One Time Password (OTP) SMS as a two authentication factor ? 

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4135| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 18/07/2018

Article 395 CRR – Shadow entities large exposure limits

If a bank invests through a vehicle, incorporated under the applicable Securitisation Law, with separate compartments per investor and where the paid out of each Note is segregated per portfolio of loans, may each Note be deemed a separate shadow entity?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2015/20 - Guidelines on limits on exposures to shadow banking entities which carry out banking activities outside a regulated framework under Article 395(2) of CRR

ID: 2019_4501| Topic: Large exposures| Date of submission: 01/02/2019

Validation rules v2815_m to v2823_m between FINREP and AE

Are validation rules v2815_m to v2823_m between FinRep and AssetEncumbrance plausible if an institution has to report significant portfolios as 'held for sale' in accordance with IFRS 5, in particular taking into account the intention of AssetEncumbrance?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) No 680/2014 - ITS on supervisory reporting of institutions (as amended)

ID: 2019_4744| Topic: Supervisory reporting - Asset Encumbrance| Date of submission: 27/05/2019

Incorrect validation rule - deposits guarantee scheme

We think that the validation rule v4134_m is incorrect.

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2014/04 - Guidelines on harmonised definitions and templates for funding plans of credit institutions

ID: 2017_3502| Topic: Supervisory reporting - Funding Plans| Date of submission: 30/08/2017

Termination rights – Distinguishing between Guidelines which are directed towards ‘all outsourcing arrangements’ from those that are directed towards ‘outsourcing arrangements for critical and important functions’

Are paragraphs 98 and 99 (section 13.4) of EBA/GL/2019/02 - Guidelines on outsourcing arrangements directed towards ‘outsourcing arrangements for critical and important functions’ only or ‘all outsourcing arrangements’?

Legal act: Regulation (EU) No 575/2013 (CRR) as amended

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2019_4782| Topic: Internal governance| Date of submission: 17/06/2019

Authorisation for the provision of PIS and AIS on behalf of other legal entities belonging to the same corporate group / Autorizzazione ad offrire servizi di PIS e AIS per conto di altre Legal Entity appartenenti allo stesso Gruppo societario

In a corporate group which is not listed in the register of banking groups and in which there is both an electronic money institution and a credit institution, can the electronic money institution offer payment initiation services (PIS) and account information services (AIS), including on behalf of the group’s credit institution that also provides the same service? Must the electronic money institution as a service provider offering PIS and AIS to clients of the group’s credit institution provide its own certificate, the group certificate, or the credit institution’s certificate to the other account servicing payment service providers (ASPSPs)? Or, as it is merely a service provider, is it the credit institution’s certificate that should be displayed? Can a corporate group request a group certificate to provide to the other ASPSPs and/or third party providers (TPPs)? *** IT:  In un Gruppo societario, che non è iscritto al registro dei Gruppi Bancari e al cui interno sono presenti sia un Istituto di moneta elettronica che un Ente creditizio, l’Istituto di moneta elettronica può offrire i servizi di PIS e AIS, anche per conto dell’Ente creditizio del Gruppo in qualità di fornitore del servizio stesso? L’Istituto di moneta elettronica che offre i servizi di PIS e AIS ai clienti dell’Ente creditizio di Gruppo, in qualità di fornitore del servizio, si deve presentare verso gli altri ASPSP con il proprio certificato, con il certificato di Gruppo oppure con il certificato dell’Ente creditizio? O in quanto mero fornitore del servizio, il certificato da esporre è quello dell’Ente creditizio? Un Gruppo societario può richiedere un certificato di Gruppo per presentarsi alle altre ASPSP e/o TPP?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4752| Topic: Authorisation and registration| Date of submission: 29/05/2019

Losses due to fraud per liability bearer / Perdite dovute a frode per portatore di responsabilità

Please clarify the requirement in guideline 1.6 (b) of the EBA Guidelines on fraud reporting under PSD2 with regard to recognising losses due to fraud per liability bearer. *** IT: Si chiede cortesemente di chiarire il requisito espresso all'interno dell'orientamento 1.6(b) in materie di obblighi di segnalazione delle perdite dovute a frode per portatore di responsabilità

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5008| Topic: Fraud reporting| Date of submission: 19/11/2019

SCA profiles and multiple-use of devices

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4560| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 19/02/2019

Relying on vendor mechanisms processing the biometric data for strong customer authentication; Multiple fingerprint samples stored on a mobile device and used for purpose of user authentication.

Are the obligations of a payment service provider (PSP) laid down in the Article 8 of RTS on strong customer authentication and secure communication fulfilled in case the biometric credentials of customer are stored at the device level and the strong customer authentication itself is processed by the mobile device? In this context, are the obligations of the PSP laid down in Article 8 and 24 of RTS on Strong Customer Authentication fulfilled in case the mobile device stores multiple fingerprint samples for user authentication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4651| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 01/04/2019

Delayed or deferred PIN for wearable devices

Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4783| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 17/06/2019

Whitelisting

Will a clearing house for distribution be enabled to facilitate the on-going maintenance of the whitelisting process?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4800| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 19/06/2019

Failed Authentication Code

Please clarify under what circumstances Article 4 Paragraph 3(a) of the Regulation (EU) 2018/389 – RTS on SCA and SC might it be impossible to apply in remote authentication where SMS based One time passwords (OTPs) are used as the authentication method.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4875| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 16/08/2019

Authentication code

Is an extra strong customer authentication (SCA) required, after logging in (with or without SCA) in the mobile application, to initiate the provisioning step to add the customers card to a third party wallet (e.g. Apple or Google pay)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4910| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 12/09/2019

SCA for contactless payments at a POS executed via a mobile device

1) Can we consider the strong customer authentication (SCA) outsourced from the issuer of cards to the payer? 2) Is it necessary for the issuer of the cards to perform SCA based on the elements of identification that are beyond its control?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4937| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 07/10/2019