Search for Q&As Submit a question

List of Q&As

Clarification of remote payment for dynamic linking

Is a SEPA Credit Transfer (SCT) transaction, whereby a user mobile phone interacts locally via Near Field Communication (NFC) with a merchant payment terminal to initiate the SCT transaction, whereby the user mobile phone does not communicate remotely over a mobile network for this purpose but whereby the payment terminal connects on-line to a payment system and handles the required strong customer authentication (SCA) through this on-line channel, considered an electronic remote payment transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5247 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 12/05/2020 | Date of publication: 13/04/2022

Payment Initiation Service - Batch payment / bulk payment

Can you apply the PSD2 non-discrimination principle to batch/bulk payment?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6236 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 12/10/2021 | Date of publication: 13/04/2022

Application of the exemption under Article 10 RTS and EBICS T

Can an Account Servicing Payment Service Provider (ASPSP) consider that it is not applying the Article 10 Exemption under the Commission Delegated Regulation (EU) 2018/389 “at all” where it permits its Payment Services Users (PSUs) to access balances and transactions information through another direct interface (such as Electronic Banking Internet Communication Standard (EBICS) T) with no systematic or daily strong customer authentication (SCA)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6235 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 12/10/2021 | Date of publication: 13/04/2022

Re-engineering by TPP of the ASPSP’s redirect API and PSU customer journey

May a Payment Initiation Services Provider (PISP) connect to the dedicated interface of the ASPSP, only to subsequently embed (“screen scrape”) the redirection approach into their own environment, without redirecting the PSU to the ASPSP’s mobile banking app, for authentication?  Are Third-Party Providers (TPPs) allowed to re-engineer the customer journey designed by the ASPSP to the effect that authentication of the PSU will take place in the TPP domain?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6044 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 21/06/2021 | Date of publication: 13/04/2022

SCA requirements with dynamic linking for mobile initiated credit transfers (MSCTs)

Can mobile initiated credit transfers (MSCT) solutions whereby a proximity technology (e.g. NFC, QR-code, BLE, etc.) is used for the exchange of payer identification data between the payer’s mobile device and the payee’s payment terminal but a mobile network is used (e.g. by a dedicated app) on the payer’s mobile device for the payer authentication, be considered as a proximity payment whereby strong customer authentication (SCA) may apply without requiring dynamic linking?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5367 | Topic: Other topics | Date of submission: 14/07/2020 | Date of publication: 13/04/2022

Individual's name to return in AISP/PISP calls

Is the name returned in an Account Information Service Provider (AISP) / Payment Initiation Service Provider (PISP) call expected to be that of the Payment Service User (PSU) who has initiated the transaction with the Third Party Provide (TPP), or of the actual account owner/holder?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5165 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/03/2020 | Date of publication: 18/03/2022

Mount unattended contactless device on general goods vending machines

With the limits described in Articles 11 and 16 of the Regulatory Technical Standards on strong customer authentication and secure communication under Directive 2015/2366/EU (PSD2), could a vendor mount an unattended "contactless only" device without pinpad on a general goods vending machine?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5288 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 03/06/2020 | Date of publication: 11/03/2022

Definition of an electronic remote payment transaction

What are the demarcation criteria of the term „remote payment transaction“, which is an essential term in the RTS on SCA and CSC?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4594 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 04/03/2019 | Date of publication: 21/01/2022

SCA for staff assisted electronic channel

Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5124 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 13/02/2020 | Date of publication: 21/01/2022

Association of personalised security credentials to the payment service user

Should strong customer authentication (SCA) elements always be issued under control of the Account service Payment Services Provider (ASPSP)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6141 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/08/2021 | Date of publication: 17/12/2021

Confirmation of Funds (CoF) request by a PISP in case of batch processing system

With respect to confirmation of funds request made by a Payment Initiation Service Provider (PISP), in the event that the Account Servicing Payment Service Providers (ASPSP) makes use of a batch processing system, should the ASPSP take into account batches that are in the queue waiting to be processed at the point when the fund confirmation request is made?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6077 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/07/2021 | Date of publication: 17/12/2021

Payers right to make use of payment initiation service providers for all types of payment transactions

Shall payers be able to make use of payment initiation service providers for transmitting all types of credit-transfer based online payment orders from their payment accounts?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5498 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 11/09/2020 | Date of publication: 17/12/2021

Alternative strong customer authentication for citizens without mobile

Why does the PSD2 allow banks to deny the access to the electronic financial services to customers without a mobile but with a PC?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5325 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 21/06/2020 | Date of publication: 17/12/2021

Revocation / Invalidation of SCA proof before execution date

In order for a payment instruction to be regarded as 'authorised', is the Account Servicing Payment Service Provider (ASPSP) obliged to verify the strong customer authentication (SCA) proof immediately prior to the execution of each future dated payment instruction? If the ASPSP fails to re-verify the SCA proof, can the ASPSP hold the payer liable in the event of fraud?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4440 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 28/12/2018 | Date of publication: 17/12/2021

Home / host cooperation

Should banks notify only National Competent Authorities (NCAs) of the home Member State when they use Strong customer authentication (SCA) exemptions on Secure corporate payment processes and protocols  (Article 17 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication) and Transaction risk analysis (Article 18 of the Delegated Regulation)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4170 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 30/07/2018 | Date of publication: 17/12/2021

Scope of “additional registrations” as obstacles in the sense of Article 32(3) Delegated Regulation (EU) 2018/389

Is a process that requires Third Party Providers (TPPs) to upload an electronic IDentification, Authentication and trust Services (eIDAS) certificate for receiving additional client credentials before first access to a payment account provided by an Account Servicing Payment Service Provider (ASPSP) to be considered an “additional registration” and therefore an obstacle?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2021_6029 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 04/06/2021 | Date of publication: 17/12/2021

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call? 2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5215 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 21/04/2020 | Date of publication: 05/11/2021

Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4797 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 19/06/2019 | Date of publication: 05/11/2021

Requirements towards SCA if association is done based on phone call

Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5650 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/12/2020 | Date of publication: 24/09/2021

Delegation of 2-Factor Authentication (2FA) to PISP, AISP or other third party

Where a Payment Service Provider (PSP) is providing financial services via a third party application - either through a Payment Initiation Services Provider (PISP), Account Information Service Provider (AISP) or by providing embedded financial products or banking as a service solutions (i.e. financial services via an Application Programming Interface (API)) - is it permitted for the PSP to delegate the application of 2-Factor Authentication (2FA) to the third party?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5643 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 03/12/2020 | Date of publication: 24/09/2021