Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Strong customer authentication requirement on pay-by-invoice payment transactions

Does Article 97(1)(b) PSD2 apply for pay-by-invoice when the payer's funds are covered by a credit line extended by a payment service provider?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Irrevocability of a payment order initiated by a PISP

The EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04) contains a Table entitled “Main requirements for dedicated interfaces and API initiatives” and Row 9 refers to the possibility of “cancelling an initiated transaction in accordance with PSD2, including recurring transactions”. Please clarify that these requirements will not apply to single payment transactions initiated by Payment Initiation Service Providers (PISPs) for immediate execution?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Definition of an electronic remote payment transaction

What are the demarcation criteria of the term „remote payment transaction“, which is an essential term in the RTS on SCA and CSC?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope - Limited network exclusion

Is there a geographical limitation with regard to a limited network of service providers?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

More than one transaction from a single consumer initiated transaction

When a consumer elects to add an additional item to their purchase at the time of checkout (a cross sale) they are making two purchases from two different merchants in a single session. Is SCA required for both of these transactions? This would make the user experience very clumsy and awkward as the consumer would have to go through SCA twice in a row during a single checkout.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

SCA for staff assisted electronic channel

Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Association of personalised security credentials to the payment service user

Should strong customer authentication (SCA) elements always be issued under control of the Account service Payment Services Provider (ASPSP)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Confirmation of Funds (CoF) request by a PISP in case of batch processing system

With respect to confirmation of funds request made by a Payment Initiation Service Provider (PISP), in the event that the Account Servicing Payment Service Providers (ASPSP) makes use of a batch processing system, should the ASPSP take into account batches that are in the queue waiting to be processed at the point when the fund confirmation request is made?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Payers right to make use of payment initiation service providers for all types of payment transactions

Shall payers be able to make use of payment initiation service providers for transmitting all types of credit-transfer based online payment orders from their payment accounts?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Alternative strong customer authentication for citizens without mobile

Why does the PSD2 allow banks to deny the access to the electronic financial services to customers without a mobile but with a PC?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Revocation / Invalidation of SCA proof before execution date

In order for a payment instruction to be regarded as 'authorised', is the Account Servicing Payment Service Provider (ASPSP) obliged to verify the strong customer authentication (SCA) proof immediately prior to the execution of each future dated payment instruction? If the ASPSP fails to re-verify the SCA proof, can the ASPSP hold the payer liable in the event of fraud?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Home / host cooperation

Should banks notify only National Competent Authorities (NCAs) of the home Member State when they use Strong customer authentication (SCA) exemptions on Secure corporate payment processes and protocols  (Article 17 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication) and Transaction risk analysis (Article 18 of the Delegated Regulation)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope of “additional registrations” as obstacles in the sense of Article 32(3) Delegated Regulation (EU) 2018/389

Is a process that requires Third Party Providers (TPPs) to upload an electronic IDentification, Authentication and trust Services (eIDAS) certificate for receiving additional client credentials before first access to a payment account provided by an Account Servicing Payment Service Provider (ASPSP) to be considered an “additional registration” and therefore an obstacle?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

The implementation of commercial agent exclusion for B2C e-commerce platforms

In what situation a business-to-consumer (B2C) e-commerce platform can be subjected to the exclusion foreseen in Article 3 (b) from PSD2?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Revocation of future dated Payment Initiation Services (PIS) payments

Is the Bank (an ‘Account Servicing Payment Service Provider’(ASPSP)) prohibited under PSD2 from acting on the following unsolicited customer instruction:- Customer asks their Bank to cancel a future-dated payment, or a series of recurring future-dated payments - where the original consent for the payment(s) was given by the customer to a Payment Initiation Services Provider (PISP).In this scenario, is the Bank required to advise the customer that the Bank cannot accept the customer’s instruction to revoke these future payments; and that only a revocation instruction received via the PISP can be accepted by the Bank?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

The implementation of commercial agent exclusion for e-commerce platforms

Should the settlement of the debt by an e-commerce platform be considered a sufficient reason to exclude the e-commerce platform from the scope of PSD2 or an indispensable requirement for a commercial agent mandate?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Consumer explicit consent to the PISP for processing of personal data

Can the presentation by the consumer of its identification data to the merchant (e.g. CustomerID and IBAN through a QR code read by the Point of Interaction (POI)) be interpreted as the consumer providing explicit consent via the merchant to the usage of this data by a Payment Initiation Service Provider (PISP) that has a contractual relationship with the merchant (but not with the consumer) for the processing of data that will enable the initiation of a single (instant) credit transfer with the consumer’s Account Servicing Payment Service Provider (ASPSP), subject to sufficient information about this PISP made available beforehand to the consumer (in accordance with Articles 44 and 45 of PSD2)? Or is the explicit consent of the consumer to the PISP required by way of contract, as mentioned in section 3.2.1 of the EDPB Guidelines 06/2020 on the interplay of Directive 2015/2366/EU (PSD2) and the GDPR?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Information to be provided by the PISP to the payer prior to the initiation of the transaction

Is it sufficient that the merchant makes available upon request by the payer (consumer) the information about the Payment Initiation Service Provider (PISP) in the Point of Interaction (POI) environment before the consumer presents their data (e.g., via a QR code) to meet the requirements of Articles 44 and 45, (2), PSD2?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call? 2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre