Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

List of Q&A's

Service Downtime

The question refers to the case that an incident with a duration of two hours that disrupts transaction processing occurs around the daily cut off time of same-day transactions processing. Thus, the incident may be of a short duration, but as a result, transactions are booked one day later. Considering this example, what service downtime should the payment service provider (PSP) indicate in the PSD2 notification? Just the net time of the failure or the total time any payment service users are affected by delayed transactions, i.e. one day?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2021/03 - Guidelines on major incident reporting under PSD2 - repealing EBA/GL/2017/10

Period to be covered by statistics pursuant to Article 32(4) of Commission Delegated Regulation (EU) 2018/389

Which period should the statistics to be published by ASPSPs under Article 32(4) of Commission Delegated Regulation (EU) 2018/389 cover in total?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Evidences / Records to be stored by account servicing payment service providers (ASPSP) for payment initiation service (PIS) and account information service (AIS) requests

Shall ASPSP keep record of PIS requests received through a PISP and evidences on the authenticity and execution of these payment transactions when SCA is managed by ASPSP ?  Shall ASPSP keep record of the consent of the PSU and also of the AIS requests received through an AISP ? For both evidences is there any specific retention period ?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Reading of the term "means of payment"

What are the 'means of payment' in the LNE Guidelines (guidelines 1.6 and 1.7)? Does the term refer to the technological level of a physical device or a digital carrier, which may accommodate several payment instruments, such as plastic card (chip or magnetic stripe), a mobile phone, a wallet, an app, a wearable, a tablet, a PC or even a specific storage location on an external server? Please provide examples of 'other means of payment' that are relevant in practice from the EBA's perspective. How is the definition of payment instrument according to Article 4(14) PSD2 to be read in the context of the LNE Guidelines? Is the interpretation of the adjective “card-based” (in combination with means of payment) in line with the same adjective in combination with payment instruments according to Article 2(20) of Regulation (EU) 2015/751 (“IFR”)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2022/02 - Guidelines on the limited network exclusion

SCA for token replacement

Is SCA required for the replacement of a tokenized card happening in the background without any ‘action by the payer’ under Article 97(1)(c) PSD2 in the following cases: Expiry of the token and update of the token Replacement of the card, and the new card has a different BIN/Account Range (e.g., for product graduation, such as standard to gold, or simple BIN management) and/or different functionalities Technical and/or configuration changes to the issuer’s BIN configuration (such as migrating from 6 to 8 digit BINs) In all these cases, the existing tokenized credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token. credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token.

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

SCA applicability / Application of SCA at tokenisation stage

Does the authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment service user is tokenising a card on an e-wallet solution such as Apple Pay?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Application of SCA to issuing a payment instrument and tokenisation

Is strong customer authentication (SCA) required when a Payment Service Provider (PSP) issues a payment instrument or creates a token?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Authentication procedures that ASPSPs’ interfaces are required to support (using re-direction)

In a pure redirection-based approach, can an ASPSP, which is not offering a mobile web browser to its PSU’s, decide not to support  an authentication via a mobile web browser authentication page (no app-to-mobile web browser or mobile web browser-to-mobile web browser  redirection) for PISPs/AISPs on the basis of duly justified security risks, without being considered a breach of Article 97 (5) PSD2 and Article 30(2) of the RTS on SCA and CSC and/or an obstacle under Article 32(3) of the RTS on SCA and CSC?  

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Application of SCA for confirmation of funds requests made by a PISP

1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation? 2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Arbitrating between security and obstacles

Can an Account Servicing Payment Service Provider (ASPSP) know a mobile phone number inside of the Third Party Provider (TPP)’s organisation in order to send a decryption password to the TPP out-of-band via SMS?   

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Ability of Payee’s PSP to apply exemptions from SCA in credit transfers

Can the Payee’s Payment Services Provider (PSP) apply an exemption from strong customer authentication (SCA) in credit transfers that are initiated through the payee?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Transactions initiated via electronic mail (email)

Do transactions initiated via electronic mail (email) qualify as initiations pursuant to Article 97 para. 1 (b) PSD2 and are therefore subject to the RTS SCA requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Articulation and interaction of the second and the third sub-paragraph of Article 74 (1) of the PSD2

In cases where the payer could not possibly detect the loss, theft or misappropriation of his instrument before it was used, is it correct to state that there can be no liability at all, including if the payer has acted with gross negligence?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2)

Can you please clarify the definition of 'previous year' when computing the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) as to whether it should be the previous 12 months from the date of calculation, therefore a rolling calculation, or whether it refers to the 'previous accounting year'? 

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

On the access to safeguarding accounts through the Application Programming Interface (API)

Shall a safeguarding account of the e-money institution (EMI) or/and of the payment institution (EMI and PI) within the account servicing payment service provider (ASPSP) be considered as a payment account and therefore should be accessible (displayed) through the Application Programming Interface (API) of ASPSP?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Bill-payment via postal service

Does bill-payment via snail-mail (postal service) fall into the definition of Article 97 1(c) and thus are subject to strong customer authentication (SCA) requirements?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Clarification of meanings 'transferring of funds' and 'another payment service provider’ in the context of article 10(1)(a) of PSD2

1) How to understand the meaning 'another payment service provider', specified in Article 10(1)(a) of PSD2? What is the definition of this meaning in the context of Article 10(1)(a) of PSD2? 2) How to understand the meaning ‘transferred to another payment service provider’, specified in Article 10(1)(a) of PSD2? In particular, is it possible to consider as 'transferred to another payment service provider' transferring of funds (which have been received by Payment service provider No. 1 from the payment service users or through another payment service provider for the execution of payment transactions) on payment account of the payment service provider No. 1, that is opened with Payment service provider No. 2? On what legal basis the transfer of funds must take place in order to be considered 'transferred to another payment service provider'?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

“Triangular ” passport

Are “triangular” passports possible under the current legal framework governing the passporting rights among the EU Member States?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2017/2055 - RTS on passporting under PSD2

Ability of a creditor to change a mandate

Can a creditor introduce changes to a mandate, in accordance to Article 64(2) PSD2, by observing the same procedure as described in Article 54(1), i.e. by informing debtor that the collection of the amount due, as agreed in the mandate, will continue unless debtor indicates the contrary?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Safeguarding

Are payment institutions able to simultaneously adopt different safeguarding methods with respect to funds held?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable