Search for Q&As

Enquirers can use various factors to search for a Q&A:

These include searching by the Q&A ID; legal reference, date submitted, technical standard / guideline, or by keyword if known.
Searches can be extended to more than one legal act, topic, technical standard or guidelines by making multiple selections (i.e. pressing 'Ctrl' on your keyboard, and selecting the relevant ones from the drop-down lists by left mouse-click).

Disclaimer:

Q&As refer to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Please note that the Q&As related to the supervisory benchmarking exercises have been moved to the dedicated handbook page. You can submit Q&As on this topic here.

Legal act

Topic

Article

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Answer prepared by

Period posted start

Period posted end

Publication start

Publication end

Keywords

Question ID

Final Q&As Q&As under review Rejected Q&As Archived Q&As All Q&As

Export options

Select / deselect all results on this page

List of Q&A's

Unattended terminals and Transaction Risk Analysis (TRA) exemption and related Payment Service Providers (PSP)’s liabilities rules

Provided that both the payer’s Payment Service Provider (PSP) and the payee’s PSP can apply the strong customer authentication (SCA) exemption, without prejudice to the last say of the payer’s PSP, can a payment made at highway toll booths be treated as the one performed at the unattended terminals for transport fares?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope of contingency mechanism

Should the interfaces – referred to in Article 33(4) of the RTS - be interpreted to include not only the internet banking interface of the account servicing payment service provider (ASPSP) but also its proprietary mobile banking interface?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Define what is “given period of time”

What constitutes a “given period of time” as expressed in Article 4.3 (b) of the RTS on strong customer authentication and secure communication?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

EBA register providing a list of third party providers (TPPs)

1° Does the EBA register under PSD2 provide a list of third party providers (TPPs)?2° If yes :2.1 Could you provide a procedure to get a TPP list?2.2 Should we filter on services 5 (Payment Initiation Service Provider (PISP) / Card Based Payment Instrument Issuer (CBPII) use case), 7 Account Information Service Provider (AISP) and 8 Payment Initiation Service Provider (PISP) to get the complete list of TPP?2.3 Agents can also provide services 5a, 7 and 8: In the downloadable JSON file, it is possible to find agents who are mandated by PSPs; however, the services offered by these agents are not indicated. Are the agents mandated by a PSP providing services 5A, 7 and 8 to be included in the TPP list?2.4 is the registry downloadable automatically? If yes, how?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2019/411 - RTS on EBA register under PSD2

Categories of Registration

Is it a requirement that all EU countries include the categories the institution is approved for within their respective registers i.e. in their publicly available data? Also are these categories available in a consistent and standard format across the EU such that anyone inquiring about a firm in more than one country has an easily recognisable and usable response

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/09 - Guidelines on authorisation and registration under PSD2

Dynamic linking: transactions for which the final amount is unknown and may be lower or higher than authenticated amount

For remote card transactions, is it acceptable that there are legitimate cases where the final amount may be lower or higher than the amount authenticated by the cardholder?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Signature on a paper slip from a payment terminal, as a factor in a two-factor SCA

Could Signature on a paper slip from a payment terminal, be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Definition of payee for dynamic linking

Article 5 of the RTS on strong customer authentication and secure communication requires the authentication code to be specific to the amount of the payment transaction and the payee.Does it suffice to include a meaningful part of the identifier into the calculation of the authentication code? For instance, would it suffice to include only numeric characters of the IBAN in the calculation of the authentication code?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Dynamic Linking for batch payments

With regards to dynamic linking for a batch of remote electronic payments, should the authentication code be linked to each and every IBAN of all the beneficiaries in a batch file?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Dynamic linking for batch transactions

In relation to payment transactions for a batch of remote electronic payments to one or several payees, please clarify whether the payer needs to be made aware of every payee in the batch?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Data authentication standards

Does a non-remote card payment transaction with a secure, dynamic data authentication of the card (DDA or higher), based on ISO/IEC 7816 (for contact cards) and ISO/IEC 14443 (for contactless card) used with a static PIN meet the requirements of Article 4 of the RTS on Strong Customer Authentication (SCA)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Scope of ‘initiation of an electronic payment transaction’

Does a card payment transaction, authenticated with a signature at the point of sale, fall under the scope of Article 97 (I) (b) PSD2? Is there a difference if the signature is provided on a paper or on a signature pad (e.g. electronic signature pad or signature capture at a payment terminal)?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Confidentiality of the application cryptogram for EMV transactions

Are EMV (Europay, MasterCard, Visa) transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Compliance with SCA in offline mode on an aircraft without internet connection

How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions

Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Transaction Risk Analysis (TRA) exemption – Time period for calculation of initial fraud rate

What is the relevant time period to use when calculating the initial fraud rate for use when the Strong Customer Authentication (SCA) comes into force?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

3 month notification period on interface changes to ASPSPs’ interfaces

Do account servicing payment service providers (ASPSPs) need to adhere to a 3 month notification period for all interface changes, or only for breaking interface changes, as specified in the RTS on on strong customer authentication (SCA) and secure communication (CSC) Article 30 Paragraph 4?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Applicability of exemption under RTS Article 16 for payee’s PSPs (acquirers)

Can an exemption under Article 16 of the RTS on strong customer authentication and secure communication be applied by the payee’s payment service provider (PSP) (the acquirer) for card-based payments?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Applicability of exemption under RTS Article 11 for payee’s PSPs (acquirers)

Can an exemption under Article 11 of the RTS on strong customer authentication and secure communication be applied by the payee's payment service provider (PSP) (the acquirer) for card-based payments?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Contactless counting

For the purpose of counting previous cumulative contactless transactions in order to assess the eligibility of the exemption in Article 11 of the RTS, should contactless transactions initiated outside of the EEA be included?

Legal act: Directive 2015/2366/EU (PSD2)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre