Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Authentication procedures that ASPSPs’ interfaces are required to support (using re-direction)

In a pure redirection-based approach, can an ASPSP, which is not offering a mobile web browser to its PSU’s, decide not to support  an authentication via a mobile web browser authentication page (no app-to-mobile web browser or mobile web browser-to-mobile web browser  redirection) for PISPs/AISPs on the basis of duly justified security risks, without being considered a breach of Article 97 (5) PSD2 and Article 30(2) of the RTS on SCA and CSC and/or an obstacle under Article 32(3) of the RTS on SCA and CSC?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6321
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Application of SCA for confirmation of funds requests made by a PISP

1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation? 2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6280
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Arbitrating between security and obstacles

Can an Account Servicing Payment Service Provider (ASPSP) know a mobile phone number inside of the Third Party Provider (TPP)’s organisation in order to send a decryption password to the TPP out-of-band via SMS?   

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6156
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Ability of Payee’s PSP to apply exemptions from SCA in credit transfers

Can the Payee’s Payment Services Provider (PSP) apply an exemption from strong customer authentication (SCA) in credit transfers that are initiated through the payee?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_5845
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 27/01/2023

Transactions initiated via electronic mail (email)

Do transactions initiated via electronic mail (email) qualify as initiations pursuant to Article 97 para. 1 (b) PSD2 and are therefore subject to the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6315
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Articulation and interaction of the second and the third sub-paragraph of Article 74 (1) of the PSD2

In cases where the payer could not possibly detect the loss, theft or misappropriation of his instrument before it was used, is it correct to state that there can be no liability at all, including if the payer has acted with gross negligence?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6305
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2)

Can you please clarify the definition of 'previous year' when computing the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) as to whether it should be the previous 12 months from the date of calculation, therefore a rolling calculation, or whether it refers to the 'previous accounting year'? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6241
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

On the access to safeguarding accounts through the Application Programming Interface (API)

Shall a safeguarding account of the e-money institution (EMI) or/and of the payment institution (EMI and PI) within the account servicing payment service provider (ASPSP) be considered as a payment account and therefore should be accessible (displayed) through the Application Programming Interface (API) of ASPSP?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_5755
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Bill-payment via postal service

Does bill-payment via snail-mail (postal service) fall into the definition of Article 97 1(c) and thus are subject to strong customer authentication (SCA) requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5534
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Clarification of meanings 'transferring of funds' and 'another payment service provider’ in the context of article 10(1)(a) of PSD2

1) How to understand the meaning 'another payment service provider', specified in Article 10(1)(a) of PSD2? What is the definition of this meaning in the context of Article 10(1)(a) of PSD2? 2) How to understand the meaning ‘transferred to another payment service provider’, specified in Article 10(1)(a) of PSD2? In particular, is it possible to consider as 'transferred to another payment service provider' transferring of funds (which have been received by Payment service provider No. 1 from the payment service users or through another payment service provider for the execution of payment transactions) on payment account of the payment service provider No. 1, that is opened with Payment service provider No. 2? On what legal basis the transfer of funds must take place in order to be considered 'transferred to another payment service provider'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5502
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

“Triangular ” passport

Are “triangular” passports possible under the current legal framework governing the passporting rights among the EU Member States?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2017/2055 - RTS on passporting under PSD2
  • ID: 2021_5726
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Ability of a creditor to change a mandate

Can a creditor introduce changes to a mandate, in accordance to Article 64(2) PSD2, by observing the same procedure as described in Article 54(1), i.e. by informing debtor that the collection of the amount due, as agreed in the mandate, will continue unless debtor indicates the contrary?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5479
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Safeguarding

Are payment institutions able to simultaneously adopt different safeguarding methods with respect to funds held?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5264
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Collection of fees for utilities or other regular services

Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are transferred to the payees (service providers) in individual transfers, without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, but the Company has contracts with the payees for accepting the transfers, constitute the provision of money remittance service as it is defined in Article 4(22) PSD2?Does a business model where the contributions (collected fees for utilities or other regular services) received from the payers are being aggregated and then transferred to the payee (service provider), without opening or maintaining accounts on behalf of neither payers nor payees (service providers), nor issuing any payment instruments to them, constitute the provision of money remittance service to the payer and acquiring of payment transactions service to the payee, as money remittance and acquiring of payment transactions are defined in Article 4(22) and (44) PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5099
  • Topic: Authorisation and registration
  • Date of submission:
  • Published as final Q&A: 06/01/2023

Information on the host member State in which Third Party Providers (TPPs) provide services

If a payment institution, in the specific form present in the EBA register under PSD2, presents an EU passport, does this mean that the Third Party Provider (TPP) is authorised to operate for the services indicated in all EU countries?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/411 - RTS on EBA register under PSD2
  • ID: 2021_6078
  • Topic: Central register of the EBA
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Change of TPP access rights for AIS consent by the PSU prior to authorisation

A clarification / harmonised guidance on the Scope of the Bank Offered Consent, as defined in the Berlin Group standard, is needed.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6246
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Clarification on the protection requirements of a CustomerID when included in a payer-presented QR-code for the initiation of (instant) credit transfers at the Point of Interaction (POI)

  Are the Customer ID’s security measures (e.g., encryption, tokenisation, transport layer security) mentioned under Q&A 5476 to be always applied in any payer-presented QR code, regardless of who generates it (e.g., including a non-PSP)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2021_6298
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Future-dated payments and recurring transactions

When it comes to recurring transactions and future-dated payments, would an implementation of the PSD2-interface that requires that the TPPs store the payment details until due date, and not until due date are they allowed to send the transactions to the ASPSP for execution, satisfy the requirements in Opinion on the implementation of the RTS on SCA and SCA (EBA-Op-2018-04) of June 13, 2018' paragraph 29, in cases where the ASPSP itself offers future-dated payments and recurring transactions in their mobile/web-bank application? If the answer to the preceding question is yes, what then is the meaning of the statement '… a PISP has the right to initiate the same transactions that the ASPSP offers to its own PSUs, such as … recurring transactions, … and future-dated payments'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6318
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

API functionality

Is it allowed to use a dedicated PSD2 interface by a TPP that identifies itself with an eIDAS certificate for purposes other than those specified in Article 30(1)(b) - (c) of the RTS on strong customer authentication (SCA) and secure communication? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2022_6392
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 14/10/2022

Annex VI - Agentes/distributors

Please clarify whether under Directive 2015/2366, in the exchange of notifications between NCAs, Annex VI of the Commission Delegated Regulation (EU) 2017/2055 should be sent concerning each new agent/distributor or only for the first agent/distributor acting on behalf of a payment/e-money institution.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2017/2055 - RTS on passporting under PSD2
  • ID: 2022_6437
  • Topic: Passporting
  • Date of submission:
  • Published as final Q&A: 14/10/2022