Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

On the application of SCA when cancelling a payment transaction

Should Account Servicing Payment Service Providers (ASPSPs) apply strong customer authentication (SCA) when cancelling recurring transactions?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

On the use and storage of Personalised Security Credentials (PSC)

Do third party providers (TPPs) have the right to ask for payment service users (PSUs)' Personalised Security Credentials (PSC)?Do TPPs have the right to store PSUs' PSC ?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Consumer mandate under Merchant Initiated Transactions

Terms and Conditions to outline future charges (under Merchant Initiated Transactions (MITs)) may be disclosed by the booking entity (such as online travel agent or brand/hotel group) instead of the hotel merchant. Does the consumer acknowledgement of these terms through a party other than the merchant (in this case, the hotel) meet the MIT requirement? Will the merchant in this situation continue to be the hotel, instead of the intermediary?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Merchant Initiated Transactions exemption for hotel transactions

For the following scenarios, does digital acknowledgement by the consumer at time of booking that subsequent charges may be collected adequately meet the requirement for Merchant Initiated Transactions if SCA is also taken at time of booking:i. total room charges and applicable taxes disclosed to the consumer when a prepaid rate has been selected.ii. deposit amount disclosed to the consumer when the reservation requires payment of a deposit to guarantee the booked room and/or dates.iii. disclosed late cancellation or no-show fee incurred by the consumer if the consumer fails to cancel their reservation per the disclosed cancellation policy.iv. disclosed descriptions of types of charges that will be processed by the hotel merchant if incurred after payment for the stay has been settled. Examples include but are not limited to charge-to-room meals, spa treatments, retail purchases, mini-bar consumption identified by housekeeping and room damage.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Processing payments for hotel reservations

Can hotels continue to process payments for which strong customer authentication (SCA) has not been completed at the time of reservation, or for charges which do not become apparent until after the customer has departed the hotel and for which he/she may refuse to conclude a first or additional SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Keyed Mail Order or Telephone Order (MO-TO) transactions

In the hotel industry, if a consumer contacts the hotel directly to make a reservation, the hotel may need to manually key the payment details into their payment terminals. Does this qualify as a Mail Order or Telephone Order (MO-TO) transaction?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Treatment of electronic bookings similar to Mail Order and Telephone Orders (MO-TO) transactions

Would hotel use-cases, which include reservations taken by third parties (such as online travel agents or brand/hotel group) for the merchant and subsequent transactions (such as post-booking processing of prepaid rates or deposits, processing of cancellation/no-show fees, processing of post-checkout charges) fall under the scope of Mail Order and Telephone Orders (MO-TO) transactions and are they therefore excluded from the strong customer authentication (SCA) requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Calculation of own funds required for payment institution in the Article 9 of Directive EU 2015/36 (PSD2) when "input funds" are credit transfers and "output funds" are direct debit

How to compute the “total amount of payment transactions executed” referred to in the calculation of “payment volume” for method B in the Article 9 of Directive EU 2015/36 (PSD2) when "input funds" on the payment account are credit transfers and "output funds" are direct debit?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Calculation of own funds required for payment institution in Article 9 of Directive EU 2015/36 (PSD2) when the payment institution offers acquiring services

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

Obstacles to the payment initiation service

Can the impossibility for a Third Party Provider (TPP) to add new beneficiaries for payment initiation, coupled with the impossibility to initiate payments for unregistered beneficiaries, be considered as an obstacle? Besides, as a subsequent question, are delays up to 48 hours in the registration of new beneficiaries an obstacle?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Account Data required by a ASPSP to execute a payment order via a PISP

In the context of Payment Initiation Service (PIS) where a Payment Service User (PSU) payment order is to be carried out, the Payment Initiation Service Provider (PISP) accesses the PSU e-banking account to require a payment. The PSU may: a) hold a single payment account to be debited or b) hold multiple payment accounts where only one of them is to be debited to finalize the payment order (in this case PSU has to select a payment account).With reference to both use cases and in the presence of an Account Servicing Payment Service Provider (ASPSP)’s dedicated interface, may the PSU be obliged to digit the IBAN of the account to be debited each time she/he initiates a transaction? Is the PISP always required to report the account number to be debited in the payment request or may this parameter be managed bilaterally among ASPSP and PSU (e.g.: default payment account, drop-down selection menu during the strong customer authentication (SCA) procedure, communication over Out-of-Band (OOB) channels, etc.)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Compliance of (1) card data (2) SMS OTP and (3) EMV 3DS behaviour-based inherence as an authentication information with the requirements of PSD2 and RTS on SCA

Could the use of (1) card data (2) SMS One Time Password (OTP) and (3) Europay, MasterCard, Visa (EMV) 3-D secure (3DS) behaviour-based inherence information as an authentication solution be considered compliant with the PSD2 and RTS on strong customer authentication and secure communication requirements?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

TPP access only with PSU involvement

Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Usage of SMS for dynamic linking

Please clarify whether payment information and an authentication code sent via SMS to a mobile phone complies with the requirements for Dynamic Linking as defined in Article 5 of the RTS, and in particular paragraph 5.2.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemption of secure corporate payment processes and protocols

Is the exemption of applying strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers applicable to both payment initiation and account information services? Or, is it solely applicable to payment initiation service?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Perform SCA by reusing an element used in an authentication exempted from SCA

When an element is used to access the payment account online, in the case the Payment Service Provider (PSP) is allowed not to apply Strong Customer Authentication (SCA) (only applying a single-factor authentication : login + password), is it possible to reuse this element to perform SCA to authenticate a transaction ?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Payment Initiation Scope and Trusted Beneficiaries

Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Using Trusted Beneficiary Lists to Auto Reject PISP Transactions

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Strong Authentication

Is one time passcode (OTP) Mail considered as a "Strong Customer Authentication" under Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre