Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Applicability of SCA to ‘card payments initiated by the payee only’

Are card payments that are initiated by the payee only on the basis of (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services, subject to the RTS SCA requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Subsequent instances of a recurring card payment transaction, other than the first, initial one, are transactions initiated by the payee only. This is also the case for card instalment transactions.

Are the subsequent instance of card payment recurring transactions (other than the first, initial one) and of instalment transactions (again, subsequent to the initial one) transactions initiated by the payee only?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Payee-initiated transactions with irregular period or variable amount

Please clarify whether standing agreements between a customer and a merchant resulting in subsequent billing (irregular or otherwise) to be payee-initiated transactions, and as such excluded from the SCA requirement.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Transactions initiated via Interactive Voice Response (IVR) solutions

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Does SCA apply to electronically processed SEPA Direct Debits ?

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Contactless payments at point of sale - Applications of the conditions

What activity can be considered a proper application of strong customer authentication according to the Article 11 Paragraph b of the Commission Delegated Regulation (EU) 2018/389?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Communication plans to inform payment service providers making use of the dedicated interface

Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Length of authentication codes

Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Trusted Beneficiary exemption – Management of the exemption, information flows between PSPs in the payment transaction

For the seamless management of the Article 13 exemption, should ASPSPs provide a feature that: 1) informs Acquirers and PISPs whether the payee is included in the payer’s list of trusted beneficiary; and 2) allows Acquirers and PISPs to suggest new entries or amendments to a payer’s list of trusted beneficiaries?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

On the access to names and surnames through the API

Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Explicit consent required by the ASPSP from the PSU to enable the PSU to use the services provided by TPPs / Consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP

May the requirement by the ASPSP for the PSU to give additional explicit consent in order to be allowed to use the services provided by TPPs, in addition to the consent given by the PSU to the TPP, be considered an ‘obstacle to the provision of payment initiation services and of account information services’ pursuant to Article 32 of the RTS?***IT:Puo’ un ulteriore consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP, in aggiunta al consenso prestato dal PSU al TPP, essere considerato un “ostacolo alla prestazione dei servizi di disposizione di ordine di pagamento e di informazione sui conti” ai sensi dell’Articolo 32 del RTS?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Applicability of the low-value contactless exemption to contactless-only devices

For contactless-only devices that (1) do not have a contact interface and (2) do not support on-device authentication, may the counters for the application of the low-value contactless exemption be reset through an out-of-band mechanism such as a mobile phone application?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Calculation of fraud rates in relation to Exemption Threshold Values (ETVs)

Is it acceptable to calculate the fraud rate for the application of the TRA exemption per ETV band?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Access by AISPs when customer not present up to 4 times in a 24 hour period

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Consent for the provision of PIS and AIS

Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Operation and security risk assessment of a branch of a credit institution

Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment - is it the competent authority of the host or the home Member State?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre