Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain.  Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if  it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7358
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

the use of strong and widely recognized encryption techniques

All strong and widely recognized encryption techniques (e.g. RSA and ECC) currently available on the market must be provided by the account servicing payment service providers or only that encryption technique which is indicated in the documentation of the technical specification of the API in accordance with Article 30(3) of the RTS on SCA & CSC shall be provided?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7376
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

SCA exception for Contactless only terminals (SoftPOS) in case of emergency

We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems. As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode. We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2025_7482
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Minimum monetary amount of professional indemnity insurance in ongoing supervision

Are points 5.4, 5.7, 5.10 and 7.4 of EBA/GL/2017/08 guideline applicable only while applying for authorisation or in ongoing supervision as well? Is 50 000 per indicator minimal amount after authorisation procedure/first year as well?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/08 - Guidelines on the criteria on how to stipulate the minimum monetary amount of the professional indemnity insurance
  • ID: 2025_7317
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:
  • Published as final Q&A: 03/10/2025

Knowledge element of SCA.

Can an API key be considered as a Knowledge element of SCA?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7286
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Proxy matrices

Are credit institutions (ASPSPs) allowed to facilitate proxy matrices implemented by their (corporate) clients that allocate proxy to only certain users to invoke the services of third party payment service providers (TPPs)?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7265
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Obstacles Faced by PISPs in Accessing Payment Status Information Under PSD2

Are ASPSPs allowed to require PISPs to provide any additional identifier beyond what is specified in Article 35.4.b of the RTS in order to access information about the execution of a payment order?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2024_7261
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/08/2025

Credit

Does this credit qualify as consumer credit, exclusively available to individual consumers? Or can it also be extended to legal entities?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7056
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/07/2025

Interpretation of payment instrument

What devices or procedures can be considered as payment instrument as per Art. 4(14) of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6910
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/07/2025

Paper-based postal money orders as defined by the Universal Postal Union

1. Should postal transfers as defined by the Universal Postal Union, which are not made in paper form but by electronic means, be excluded from the scope of PSD2?     2. If postal transfers, as defined by the Universal Postal Union, in both electronic and paper format, are inseparable from the postal operator’s accounting system, should also paper-based postal transfers not fall outside the scope of PSD2?     3. Should such transfers be excluded from the scope of PSD2 in either case, or agree that the payment institution is not entitled to credit those funds to the payment service customers’ funds accounts where the money of the payment service users is kept separate?     4. Can a payment institution that is also a postal service provider simultaneously provide both PSD2 regulated services and services related to payments but outside the scope of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6391
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/07/2025

Compliance of non-bank PSPs with the safeguarding requirements in PSD2

Where PIs and EMIs (referred to as non-bank PSPs) have direct access to central bank operated payment systems for settling payment transactions, would keeping a balance on a settlement account with the central bank/payment system, without the central bank maintaining a safeguarding account for the non-bank PSP, be compliant with the safeguarding requirements under Article 10 of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2024_7165
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 08/05/2025

Safeguarding with a credit institition in a third country

May a PI authorised and operating in an EU Member State use a credit institution based in a third country (e.g. UK) for the purpose of safeguarding funds in accordance with Art. 10(1)(a) of PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6882
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

PISP payment order cancellation due to fraud prevention reasons

Due to fraud prevention reasons, could an ASPSP (Account Servicing Payment Service Provider) block a payment order initiated through a PISP (Payment Initiation Service Provider) despite having informed the PISP immediately upon authentication, that the payment was going to be executed (i.e., after having provided the PISP with the code ACSC (AcceptedSettlementCompleted) under the Berlin Group Standard)? In that scenario who should bear the liability if the payment is not executed but, nonetheless, the payee delivered the good or service promptly after being informed by the PISP of the successful initiation of the payment?Would the answer be different if the ASPSP had simply confirmed the sufficiency of funds as stated in the EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04)? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2023_6873
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Multi-licensed entity capital requirement

Should a payment institution that also has a crowdfunding license meet the capital requirements of both authorizations in aggregate?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6790
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Exchange rate mark-ups part of 'all charges payable'/'currency conversion charges'

Is an exchange rate mark-up (the difference between the interbank rate and the exchange rate offered by the PSP to its PSUs) to be considered as part of ‘all charges payable’ as per PSD2 and the ‘currency conversion charges’ as per CBPR2 prior to the initiation of the payment? How should PSPs disclose this in the payment flow?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6777
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Consideration of own funds requirements as a comparable guarantee to the PII

Would it be acceptable to consider, has a possible comparable guarantee, an increase of own funds’ requirements, in an amount corresponding to the minimum monetary amount calculated in accordance with the EBA’s tool, while ensuring that this amount would be fulfilled with highly liquid assets?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2023_6675
  • Topic: Monetary amount of the professional indemnity insurance
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Information provided to the payee on individual payment transaction

If a framework contract includes a condition on providing all required information to the payee at least once a month, is the payment service provider still obliged to provide the information to the payee after the execution of individual payment transaction? Or providing monthly information is enough and provision of information separately about each individual transaction is not required anymore?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6612
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Provision of the "acquiring of payment transactions" payment service in the EU

Please provide your opinion on whether the payment service – acquiring of payment transactions on an EU webshop – can be provided by a payment service provider from a third country. Please refer to Q&A 4233.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6283
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 17/01/2025

Card data (PAN) to be returned in AISP calls

Does the ASPSP have to return the card number (PAN) attached to a fetched payment account in case the user can access this data during a standard session with its ASPSP in the direct internet banking interface? In case of "YES", does the TPP that is fetching this data have to be PCI DSS certified, since this data has to be encrypted based on the PCI DSS requirements? Moreover, could be the "card number (PAN)" considered sensible, since it could be potentially used for fraud?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2023_6946
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/10/2024

Payment account

What is the difference between payment account, e-money account and a bank account (account held at the credit institution) in terms of allowed transactions? Is it possible to hold funds on a payment account to make future payment transactions?Is it possible to receive the salary on a payment account, if this account is not an e-money account or an account held by a credit institution, which constitute a deposit or other repayable fund?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2022_6611
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 11/10/2024