Search for Q&As

Enquirers can use various factors to search for a Q&A:

  • These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
  • Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

List of Q&A's

Confirmation of Funds (CoF) request by a PISP in case of batch processing system

With respect to confirmation of funds request made by a Payment Initiation Service Provider (PISP), in the event that the Account Servicing Payment Service Providers (ASPSP) makes use of a batch processing system, should the ASPSP take into account batches that are in the queue waiting to be processed at the point when the fund confirmation request is made?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6077
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Payers right to make use of payment initiation service providers for all types of payment transactions

Shall payers be able to make use of payment initiation service providers for transmitting all types of credit-transfer based online payment orders from their payment accounts?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5498
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Alternative strong customer authentication for citizens without mobile

Why does the PSD2 allow banks to deny the access to the electronic financial services to customers without a mobile but with a PC?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5325
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Revocation / Invalidation of SCA proof before execution date

In order for a payment instruction to be regarded as 'authorised', is the Account Servicing Payment Service Provider (ASPSP) obliged to verify the strong customer authentication (SCA) proof immediately prior to the execution of each future dated payment instruction? If the ASPSP fails to re-verify the SCA proof, can the ASPSP hold the payer liable in the event of fraud?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4440
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Home / host cooperation

Should banks notify only National Competent Authorities (NCAs) of the home Member State when they use Strong customer authentication (SCA) exemptions on Secure corporate payment processes and protocols  (Article 17 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication) and Transaction risk analysis (Article 18 of the Delegated Regulation)?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2018_4170
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

Scope of “additional registrations” as obstacles in the sense of Article 32(3) Delegated Regulation (EU) 2018/389

Is a process that requires Third Party Providers (TPPs) to upload an electronic IDentification, Authentication and trust Services (eIDAS) certificate for receiving additional client credentials before first access to a payment account provided by an Account Servicing Payment Service Provider (ASPSP) to be considered an “additional registration” and therefore an obstacle?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2021_6029
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 17/12/2021

The implementation of commercial agent exclusion for B2C e-commerce platforms

In what situation a business-to-consumer (B2C) e-commerce platform can be subjected to the exclusion foreseen in Article 3 (b) from PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5355
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 06/12/2021

Revocation of future dated Payment Initiation Services (PIS) payments

Is the Bank (an ‘Account Servicing Payment Service Provider’(ASPSP)) prohibited under PSD2 from acting on the following unsolicited customer instruction:- Customer asks their Bank to cancel a future-dated payment, or a series of recurring future-dated payments - where the original consent for the payment(s) was given by the customer to a Payment Initiation Services Provider (PISP).In this scenario, is the Bank required to advise the customer that the Bank cannot accept the customer’s instruction to revoke these future payments; and that only a revocation instruction received via the PISP can be accepted by the Bank?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2019_4496
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 03/12/2021

The implementation of commercial agent exclusion for e-commerce platforms

Should the settlement of the debt by an e-commerce platform be considered a sufficient reason to exclude the e-commerce platform from the scope of PSD2 or an indispensable requirement for a commercial agent mandate?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5354
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 03/12/2021

Consumer explicit consent to the PISP for processing of personal data

Can the presentation by the consumer of its identification data to the merchant (e.g. CustomerID and IBAN through a QR code read by the Point of Interaction (POI)) be interpreted as the consumer providing explicit consent via the merchant to the usage of this data by a Payment Initiation Service Provider (PISP) that has a contractual relationship with the merchant (but not with the consumer) for the processing of data that will enable the initiation of a single (instant) credit transfer with the consumer’s Account Servicing Payment Service Provider (ASPSP), subject to sufficient information about this PISP made available beforehand to the consumer (in accordance with Articles 44 and 45 of PSD2)? Or is the explicit consent of the consumer to the PISP required by way of contract, as mentioned in section 3.2.1 of the EDPB Guidelines 06/2020 on the interplay of Directive 2015/2366/EU (PSD2) and the GDPR?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5570
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 03/12/2021

Information to be provided by the PISP to the payer prior to the initiation of the transaction

Is it sufficient that the merchant makes available upon request by the payer (consumer) the information about the Payment Initiation Service Provider (PISP) in the Point of Interaction (POI) environment before the consumer presents their data (e.g., via a QR code) to meet the requirements of Articles 44 and 45, (2), PSD2?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable
  • ID: 2020_5573
  • Topic: Other topics
  • Date of submission:
  • Published as final Q&A: 03/12/2021

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call? 2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5215
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/11/2021

Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4797
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 05/11/2021

Requirements towards SCA if association is done based on phone call

Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5650
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Delegation of 2-Factor Authentication (2FA) to PISP, AISP or other third party

Where a Payment Service Provider (PSP) is providing financial services via a third party application - either through a Payment Initiation Services Provider (PISP), Account Information Service Provider (AISP) or by providing embedded financial products or banking as a service solutions (i.e. financial services via an Application Programming Interface (API)) - is it permitted for the PSP to delegate the application of 2-Factor Authentication (2FA) to the third party?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5643
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Association with the payment service user by means of a remote channel

Is it sufficient to use a company level knowledge element, in combination with a peronal posession element to associate a user of a business application with personalised security credentials such as authentication software or a knowledge element?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5626
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Clarification on level of protection required for the processing of the IBAN outside the inter-PSP environment

Can the IBAN of the payer or payee be handled in cleartext outside the inter Payment Service Provider (PSP) environment? For instance could a payer’s IBAN be contained in cleartext in a payer-presented QR-code provided by the payer’s device to the merchant’s point of interaction for the initiation of an (instant) credit transfer? Or could a merchant’s IBAN be contained in cleartext in a merchant-presented QR-code at the merchant’s point of interaction to be read by the payer’s device for the initiation of an (instant) credit transfer?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5477
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Clarification on the qualification and protection requirements of a CustomerID when included in a payer-presented QR-code for the initiation of (instant) credit transfers at the point of interaction (POI)

Is the CustomerID (i.e. ID issued by an Account Servicing Payment Service Providers (ASPSP) to its Payment Services User (PSU) for accessing the on-line banking system and usually required by PSD2 Application Programming Interfaces (APIs) to identify the PSU) to be qualified as “personalised security credentials of the PSU” within the meaning and for the purposes of Article 66 (3) b), PSD2, and Article 35 (5), RTS, and therefore be treated as “sensitive payment data” within the definition of Article 4 (32), PSD2? Accordingly, can said CustomerID be included in cleartext in the payer-presented QR-code for the initiation of (instant) credit transfers at the point of interaction (e.g. POS, vending machine) without any protection during the QR-code life-cycle, including the generation of the QR-code, storage of the QR-code on the payer’s device, transmission from the payer device to the payee’s point of interaction and in the payee’s (e.g. merchant) point of interaction?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2020_5476
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Intermediaries and Merchant-ID

In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed? If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4796
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021

Validity of SCA

If  Strong customer suthentication (SCA) is required at the time of booking which is more than 90 days before the guest’s arrival, will hotels be able to process the payment at location with an expired authentication token? If not, can an SCA be renewed and who would be responsible for doing so?

  • Legal act: Directive 2015/2366/EU (PSD2)
  • COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
  • ID: 2019_4795
  • Topic: Strong customer authentication and common and secure communication (incl. access)
  • Date of submission:
  • Published as final Q&A: 24/09/2021