Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain.  Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if  it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

the use of strong and widely recognized encryption techniques

All strong and widely recognized encryption techniques (e.g. RSA and ECC) currently available on the market must be provided by the account servicing payment service providers or only that encryption technique which is indicated in the documentation of the technical specification of the API in accordance with Article 30(3) of the RTS on SCA & CSC shall be provided?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

SCA exception for Contactless only terminals (SoftPOS) in case of emergency

We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems. As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode. We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Knowledge element of SCA.

Can an API key be considered as a Knowledge element of SCA?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Criteria for selecting the operations to be included in the calculation of fraud rates for the transaction risk analysis (TRA) exemption

Which of the following would be the correct temporal criterion for selecting the unauthorized transactions to be included in the numerator of the fraud rates calculated for the transactions risk analysis (TRA) exemption? a) the transaction date, i.e., the date on which the transaction was executed regardless of the date on which it is classified as unauthorized or fraudulent b) the registration date, i.e., the date on which the transaction is registered as unauthorized or fraudulent regardless of the date on which it was carried out 

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Secure corporate payment processes and protocols and inactivity time period

May the period time of inactivity required by the (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) Article 4 (3) (d) be changed from 5 minutes to 20 minutes if the exemption based on Article 17 of RTS on SCA & CSC has been granted by the competent authority to the Payment service provider?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Mobile Banking Services and SCA in the same app

We use a mobile app, software installed in a separate sandbox on a multi-purpose device, for the elements of strong customer authentication. Is it correct to assume that Article 9 (in COMMISSION DELEGATED REGULATION (EU) 2018/ 389) does not prevent us from offering mobile banking services through the same app?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Eligibility of communication by AISPs with ASPSP throughout two access interfaces in parallel

Question no 1: Do art. 30(1), art. 31 and art. 33 of the Commision Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (”RTS”) should be interpreted in that manner, that in scenario, where account servicing payment service provider (”ASPSP”) has introduced a so-called dedicated interface within a meaning of art. 31 RTS, which meets requirements provided for in art. 32 and 33 RTS, than ASPSP has a right and it is up to ASPSP’s sole discretion, whether, for purposes of communication with account information service providers (”AISPs”), to: make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs); or make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS)? Question no 2: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has a right and it is up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS (i.e. dedicated interface and interface made available to the payment service users for the authentication and communication with their ASPSPs), does this mean that AISPs, with observation of further requirements set forth in art. 30, art. 34 and art. 35 RTS, might communicate with this ASPSP, in parallel, throughout both access interfaces? Question no 3: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures set forth in art. 33 RTS), does ASPSP is under obligement to engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs? Question no 4: If answer to question no 1 is that in scenario of introduction by ASPSP of dedicated interface, ASPSP has no right and it is not up to ASPSP’s sole discretion to make available to AISPs, in parallel, two access interfaces, as referred to in art. 31 RTS, i.e. a contrario ASPSP is allowed to make available to AISPs only dedicated interface (without prejudice to, among others, contingency measures as set forth in art. 33 RTS) but nevertheless ASPSP has not engange necessary and proportional measures, including technical measures, for AISPs to communicate with ASPSP only via dedicated interface, i.e. with exclusion of interface made available to the payment service users for the authentication and communication with their ASPSPs, does this fact in any measure reflects AISPs right to communicate with this ASPSP throughout both access interfaces, or whether AISPs should undertake any additional actions, and if yes, what kind of actions?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Trusted Beneficiaries

Please clarify whether under Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) is it allowed to use the same SCA element to authorize a payment and at the same time (using the same session ID) approve (technically using by a checkbox) the payee as a trusted beneficiary? If it is allowed, the payment service user (hereinafter: PSU) shall be informed (prior to authorisation) by an approval SCA element (SMS) about the payment execution and about modifying the list of the trusted beneficiaries as well?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Exemption from strong customer authentication

Do the revisions to Art.10 set out in Commission Delegated Regulation (EU) 2022/2360 of 3 August 2022 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/389 as regards the 90-day exemption for account access mean that a payment service user or account information service provider is now limited to accessing only the account balance OR the transaction details for the last 90 days when availing of the revised exemption?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

App to app redirection with biometrics for PIS

Are ASPSPs required to offer redirected authentication with biometrics to users accessing their payment accounts through an AISP or initiating a payment through a PISP, if they offer redirected authentication with biometrics to users accessing accounts or initiating payments directly via the ASPSP?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Period to be covered by statistics pursuant to Article 32(4) of Commission Delegated Regulation (EU) 2018/389

Which period should the statistics to be published by ASPSPs under Article 32(4) of Commission Delegated Regulation (EU) 2018/389 cover in total?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Evidences / Records to be stored by account servicing payment service providers (ASPSP) for payment initiation service (PIS) and account information service (AIS) requests

Shall ASPSP keep record of PIS requests received through a PISP and evidences on the authenticity and execution of these payment transactions when SCA is managed by ASPSP ?  Shall ASPSP keep record of the consent of the PSU and also of the AIS requests received through an AISP ? For both evidences is there any specific retention period ?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

SCA for token replacement

Is SCA required for the replacement of a tokenized card happening in the background without any ‘action by the payer’ under Article 97(1)(c) PSD2 in the following cases: Expiry of the token and update of the token Replacement of the card, and the new card has a different BIN/Account Range (e.g., for product graduation, such as standard to gold, or simple BIN management) and/or different functionalities Technical and/or configuration changes to the issuer’s BIN configuration (such as migrating from 6 to 8 digit BINs) In all these cases, the existing tokenized credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token. credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

SCA applicability / Application of SCA at tokenisation stage

Does the authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment service user is tokenising a card on an e-wallet solution such as Apple Pay?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Authentication procedures that ASPSPs’ interfaces are required to support (using re-direction)

In a pure redirection-based approach, can an ASPSP, which is not offering a mobile web browser to its PSU’s, decide not to support  an authentication via a mobile web browser authentication page (no app-to-mobile web browser or mobile web browser-to-mobile web browser  redirection) for PISPs/AISPs on the basis of duly justified security risks, without being considered a breach of Article 97 (5) PSD2 and Article 30(2) of the RTS on SCA and CSC and/or an obstacle under Article 32(3) of the RTS on SCA and CSC?  

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Application of SCA for confirmation of funds requests made by a PISP

1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation? 2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Arbitrating between security and obstacles

Can an Account Servicing Payment Service Provider (ASPSP) know a mobile phone number inside of the Third Party Provider (TPP)’s organisation in order to send a decryption password to the TPP out-of-band via SMS?   

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Ability of Payee’s PSP to apply exemptions from SCA in credit transfers

Can the Payee’s Payment Services Provider (PSP) apply an exemption from strong customer authentication (SCA) in credit transfers that are initiated through the payee?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Change of TPP access rights for AIS consent by the PSU prior to authorisation

A clarification / harmonised guidance on the Scope of the Bank Offered Consent, as defined in the Berlin Group standard, is needed.

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre