Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Application of the Low Value Transaction Limits

Should the limits according the Article 16 RTS be applied to the account itself (account holder and authorized persons together) or should they be applied to the account holder (owner) and each authorized person (i.e. proxy of account holder) separately? Subsequently should the limits be applied to all remote payment transactions together or should e.g. card transactions and credit transfers be counted separately. Also should the limit be applied to all cards belonging to one person together or should the limit be applied to each card separately?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4429
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Wide usage portability between Member States

Could three months’ data, showing wide usage of the dedicated interface, produced in one Member State by a regulated entity (ASPSP) belonging to an ASPSP Group, be used as evidence to support the ‘widely used’ condition in a further Member State for a separate regulated entity (ASPSP) belonging to the same ASPSP Group, on the condition that both entities employ the same dedicated interface?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389
  • ID: 2019_4638
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389

Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4630
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Content of eIDAS certificates if agents or outsource providers are involved

Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4507
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Passporting and eIDAS certificates

Do account servicing payment service providers (ASPSPs) have to check that third party providers (TPPs) are authorised to operate in their Member State via freedom to deliver services passporting? If so, how shall this be done?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4432
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 26/04/2019

Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4439
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Fall back exemption

Article 33, § 6 of the RTS for strong customer authentication and common and secure open standards of communication (the “RTS”) provides that “Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism […]” (the “fall back exemption”). a) Which authority - the home authority or the host authority ?- is the compentent authority under article 33, § 6 of the RTS, when the “fall back exemption request” concerns the dedicated interface used in a Member state where a branch of the ASPSP is located? b) Does the answer differ if the same dedicated interface is used in the home member state and in the host member state where a branch is located?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4163
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 12/04/2019

Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)

How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4609
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 29/03/2019

ASPSP is denied the waiver to the fall-back by an NCA

If an Account Servicing Payment Service Provider (ASPSP) is denied the waiver to the fall-back by a National Competent Authority (NCA) (i.e. at 13 September 2019), will the ASPSP still have 2 months to build the fall-back?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4140
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/03/2019

Application of the exemption related to a trusted beneficiary

Has the exemption related to a trusted beneficiary to be applied on an account basis or rather to a list of accounts included in an online banking agreement ? Whose list has to be considered in case of a power of attorney where the initiator is not the account owner ? What happens in case of a shared account where each one holds his own trusted beneficiary lists ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4360
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/03/2019

Applicability of SCA to ‘card payments initiated by the payee only’

Are card payments that are initiated by the payee only on the basis of (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services, subject to the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4031
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Subsequent instances of a recurring card payment transaction, other than the first, initial one, are transactions initiated by the payee only. This is also the case for card instalment transactions.

Are the subsequent instance of card payment recurring transactions (other than the first, initial one) and of instalment transactions (again, subsequent to the initial one) transactions initiated by the payee only?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4404
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Payee-initiated transactions with irregular period or variable amount

Please clarify whether standing agreements between a customer and a merchant resulting in subsequent billing (irregular or otherwise) to be payee-initiated transactions, and as such excluded from the SCA requirement.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2018_4131
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Transactions initiated via Interactive Voice Response (IVR) solutions

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4058
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 01/03/2019

Does SCA apply to electronically processed SEPA Direct Debits ?

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4359
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 22/02/2019

Contactless payments at point of sale - Applications of the conditions

What activity can be considered a proper application of strong customer authentication according to the Article 11 Paragraph b of the Commission Delegated Regulation (EU) 2018/389?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4226
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Communication plans to inform payment service providers making use of the dedicated interface

Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4071
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Length of authentication codes

Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4053
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4366
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 08/02/2019

Trusted Beneficiary exemption – Management of the exemption, information flows between PSPs in the payment transaction

For the seamless management of the Article 13 exemption, should ASPSPs provide a feature that: 1) informs Acquirers and PISPs whether the payee is included in the payer’s list of trusted beneficiary; and 2) allows Acquirers and PISPs to suggest new entries or amendments to a payer’s list of trusted beneficiaries?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4128
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 25/01/2019