Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Accessing payment account online in web browser shall exceed not 5 minutes without acitvity

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4065
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

EMV cards and EMV terminals supporting online authentication

Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4052
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption by authorized PSPs other than the issuer and the acquirer

May an authorized PSP other than the issuer and acquirer apply the TRA exemption on the basis of its own fraud rate and risk analysis?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4035
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of the security measures: Audit report

Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?If a separate report should be used: Are there any templates available for reporting?Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4152
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Review of Security Measures - Auditors expertise

Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4153
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 26/10/2018

Obligatory nature of the SCA and exemption based on transaction risk analysis

Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4089
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 19/10/2018

Does transaction monitoring need to be real time?

Article 2(1) of the RTS stipulates that "payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions…" and Article 2(2) explains the minimum requirements.However, Article 2 does not specify timing aspects of the transaction monitoring.Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4090
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Qualification of SMS OTP as an authentication factor

Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4039
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Display of incorrect authentication factors in case of failed authentication attempts

For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4041
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/10/2018

Application of the exemption for transactions to trusted beneficiaries to Face-to-Face transactions

May the exemption for transactions to trusted beneficiaries (‘white-listing’) set out in Article 13 of Regulation (EU) 2018/389 (RTS on strong customer authentication and secure communication) apply to face-to-face transactions?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4056
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 21/09/2018