Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

On the access to names and surnames through the API

Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Explicit consent required by the ASPSP from the PSU to enable the PSU to use the services provided by TPPs / Consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP

May the requirement by the ASPSP for the PSU to give additional explicit consent in order to be allowed to use the services provided by TPPs, in addition to the consent given by the PSU to the TPP, be considered an ‘obstacle to the provision of payment initiation services and of account information services’ pursuant to Article 32 of the RTS?***IT:Puo’ un ulteriore consenso esplicito richiesto dall’ASPSP al PSU per consentirgli di avvalersi dei servizi prestati dai TPP, in aggiunta al consenso prestato dal PSU al TPP, essere considerato un “ostacolo alla prestazione dei servizi di disposizione di ordine di pagamento e di informazione sui conti” ai sensi dell’Articolo 32 del RTS?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Applicability of the low-value contactless exemption to contactless-only devices

For contactless-only devices that (1) do not have a contact interface and (2) do not support on-device authentication, may the counters for the application of the low-value contactless exemption be reset through an out-of-band mechanism such as a mobile phone application?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Calculation of fraud rates in relation to Exemption Threshold Values (ETVs)

Is it acceptable to calculate the fraud rate for the application of the TRA exemption per ETV band?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Access by AISPs when customer not present up to 4 times in a 24 hour period

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Consent for the provision of PIS and AIS

Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Operation and security risk assessment of a branch of a credit institution

Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment - is it the competent authority of the host or the home Member State?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2019/04 – Guidelines on ICT and security risk management - repealing EBA/GL/2017/17

Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments

Is Article 17 of Regulation (EU) 2018/389 applicable for the payer’s Payment service provider (PSP) for card-based payments?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Interpretation of 'Active request for account information'

How should 'active request for account information' by a Payment Service User (PSU) be interpreted the wording of article 36(5)(a)(b) of the RTS SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Major incidents reporting

Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10

Applicability of Strong Customer Authentication (SCA) to existing recurring payments solutions

Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Criteria for the application of the transaction risk analysis (TRA) exemption – Fraud rate calculation methodology for the application of the TRA exemption

Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Application of SCA when a PSU accesses payment transactions data older than on the last 90 days, without having access to sensitive payment data and for a period of 90 days after the last access using SCA

Could Payment Service Providers (PSPs) be allowed to choose between applying SCA(Strong Customer Authentication) or not when a PSU (Payment Service User) accesses payment transactions data older than on the last 90 days without having access to sensitive payment data and for a period of 90 days after its last access using SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Persistent authentication for wearable devices

Is persistent authentication for wearable devices compliant with the RTS?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption at the level of individual brand, product or scheme

May a PSP calculate its fraud rate at the level of individual brand, product or scheme?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Responsibility of national authority with regards to audit reports

Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

On the access to trusted beneficiaries lists (RTS Art 13) by TPPs in write mode

Do the TPPs have the right to access trusted beneficiaries lists in write mode?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre