EBA Q&A-Tool
Introduction to the Q&A tool
Via the Q&A tool of the EBA (European Banking Authority), a consistent and effective application of the new regulatory framework across the Single Market is being ensured, hence contributing to the building of the Single Rulebook in Banking. It is important to note, that Q&As have no binding force in law, nor are they subject to „comply or explain“. However, their application will be rigorously scrutinised and challenged by the EBA and national supervisory authorities. Peer pressure and market discipline are also expected to affect compliance with the answers of the Q&A tool.
Firstly, questions from anybody, including national supervisory authorities, institutions that are subject to the provisions of several directives including Directive (EU) 2015/2366 (PSD2) as well as related industry associations, individuals and other entities are collected regarding the practical application or implementation of the aforementioned directives and delegated acts.
Secondly, the EBA answers the relevant questions and publishes them via the Q&A tool. In our blog, we will focus on uploading those Q&As connected to PSD2 and the respective Regulatory Technical Standards (RTS). Each question and respective answer of the EBA is available in full length by clicking on the respective embedded link.
All published Q&As by the EBA regarding PSD2
2019_4681, EBA answer dated 09/08/2019
Question: Payment Service Users (PSUs) communicate with an account servicing payment service provider (ASPSP) via Web using HTTP while mobile PSUs and Third Party Providers (TPPs) via REST Application Programming Interfaces (APIs) but in all cases the processing is done by the same back-end server using the same credentials, authorisations and business logic. In the case of mobile and TPP channels, the APIs are similar and are exposed from the same ASPSP’s gateway. Any issue in the back-end server will result in downtime for all channels. Clarification is required whether this solution is considered as a dedicated interface or not.
2019_4661, EBA answer dated 09/08/2019
Question: Does the Key Performance Indicator (KPI) for the performance of the dedicated interface include the time taken for conducting Strong Customer Authentication (SCA)?
2018_4230, EBA answer dated 09/08/2019
Question: Does the cumulative count / authorised sum amount apply to any contactless authorisation request, regardless if the request was approved or not?
2018_4057, EBA answer dated 09/08/2019
Question: Do transactions at vending machines without PIN pad require Strong Customer Authentication (SCA)?
2018_4047, EBA answer dated 09/08/2019
Question: When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?
2018_4042, EBA answer dated 19/07/2019
Question: Who is liable for fraud on Strong Customer Authentication (SCA) exempted transactions? Which payment service provider (PSP) is liable (payer’s or payee’s) when both PSPs choose to trigger an exemption to SCA?
2018_4055, EBA answer dated 19/07/2019
Question: Should the PIN transmitted offline from a terminal to an Europay, MasterCard and Visa (EMV) card always be enciphered?
2018_4231, EBA answer dated 19/07/2019
Question: It is not clear, whether comprehensive assessment of the operational and security risks relating to the payment services has to be carried out by the payment service providers (PSP), or it can be delegated / outsourced to a third entity (e.g. external audit firm). In case this is a responsibility of the PSP, it is not clear, whether it has to be carried by the independent internal audit department, or it has to be carried out by the department responsible for the risk function in the PSP.
2019_4693, EBA answer dated 14/06/2019
Question: Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?
2019_4679, EBA answer dated 14/06/2019
Question: There are two possible interpretations of the Regulation (EU) 2018/389 (RTS) Article 34 paragraph (2) in the case of payment service providers registered in Member State “A”:
1) The authorisation number is the number of the resolution of the NCA (or its predecessor in title) authorising the provision of payment services for the specific PSP, which is not the same as the Registration number appearing in the NCA’s public register.
2) The authorisation number is the Registration number appearing in the NCA’s public register (which is a reference number formed based on the VAT number).
Please clarify whether interpretation 2) above is in line with the requirements of the RTS? Please clarify whether the 8-digit Registration number (based on the VAT number) appearing in the NCA’s public register, and appearing as “National Identification Number” in the EBA PSD2 register or as “National Reference” in the EBA credit institution register can be used as the “authorisation number” in eIDAS certificates?
2019_4586, EBA answer dated 14/06/2019
Question: Please clarify whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?
2018_4413, EBA answer dated 14/06/2019
Question: Is it required for an Account Servicing Payment Service Provider (ASPSP) to use qualified certificates under eIDAS to identify itself to a Third Party Provider (TPP)?
2018_4400, EBA answer dated 14/06/2019
Question: Are USB drives (containing a certificate) used only by corporate clients compatible with RTS requirements? Can USB drives be considered as payment processes exempted from strong customer authentication?
2019_4601, EBA answer dated 07/06/2019
Question: Are account servicing payment service providers (ASPSPs) required to provide information on the initiation and execution of the payment transaction, including updates, in order for a payment initiation service provider (PISP) to comply with Article 46(a) PSD2 and pursuant to Article 36(1)(b) RTS?
2019_4664, EBA answer dated 07/06/2019
Question: Are mandates for direct debits which are set up without direct involvement of the payer’s PSP subject to SCA requirements?
2018_4040, EBA answer dated 07/06/2019
Question: May payment service providers (PSPs) and card schemes set rounded and easily understandable non-EUR currency equivalents for the EUR thresholds set out in the RTS?
2018_4138, EBA answer dated 07/06/2019
Question: How can Third Party Providers (TPPs) and account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?
2018_4127, EBA answer dated 07/06/2019
Question: Is it acceptable if a payment service provider (PSP) looking to apply the TRA exemption makes a best effort using the information available to them to identify that none of the six individual factors mentioned in Article 18(2)(c) of the Commission Delegated Regulation 2018/389 are applicable, but does not have to actually identify non-applicability of all of these factors to be able to use the TRA exemption?
2018_4060, EBA answer dated 07/06/2019
Question: May lodged and virtual cards benefit from the exemption for secure corporate payment processes and protocols under Article 17 RTS?
2018_4045, EBA answer dated 07/06/2019
Question: Should the fraud rate, in accordance with Article 19 of the RTS, be recalculated every day using the trailing 90 days of data, or should it be recalculated once every 90 days (using the trailing 90 days of data)?
If the fraud rate should be recalculated once every 90 days (using the trailing 90 days of data), can the calculation periods be aligned with calendar quarters? (e.g. the fraud rate for use during Q1 2020 (01-Jan-20 to 31-Mar-20) would be based on fraud data for Q4 2019 (01-Oct-19 to 31-Dec-19).
2018_4375, EBA answer dated 24/05/2019
Question: When performing the role of a Technical Service Provider (TSP) is the TSP required to update the certificate received from the Third Party Payment Service Providers (TPP) (to demonstrate our involvement) to enable the Account Servicing Payment Service Provider (ASPSP) to authorise the certificate and provide the appropriate requested data back through to the TPP and establish the session? Is this same certificate required for every type of transaction request and must it be real time checked by the ASPSP and how does this impact our role as a TSP?
Also, by introducing a TSP between a TPP and an ASPSP is the concept of private keys and the transport layer broken, due to the introduction of a TSP between the TPP and the ASPSP?
Finally, are there limits to the number of roles involved in the chain in terms of the certification or do we just need to be able to demonstrate the link back to the point of origin for the certificate (the TPP)?
2018_4141, EBA answer dated 24/05/2019
Question: Is it allowed to use the (authenticated) session that a user has (after logging in (with or without SCA) as 1 of the authentication factor when performing SCA for a payment transaction?
For example: A customer logs in with its username & password (knowledge) + SMS One Time Password (possession). Once in his online banking environment he looks at his statements. Within that same session (that ends after 5 minutes inactivity) he makes a payment.
The question is if for authenticating the payment it is required to perform SCA again or if the authenticated session (based on the previous authentication) and a second SMS One Time Password (possession) that dynamically links the payment would suffice.
2018_4188, EBA answer dated 10/05/2019
Question: In the context of PIS:
(a) shall the ASPSP, upon initiation of the payment session, provide or make available to the PISP the IBANs/account numbers for all payment accounts from which the user can transfer funds, and the associated currencies; and
(b) shall the ASPSP, in each communication session, provide or make available to the PISP/AISP the name of the payment service user that is accessing the accounts.
2018_4429, EBA answer dated 26/04/2019
Question: Should the limits according the Article 16 RTS be applied to the account itself (account holder and authorized persons together) or should they be applied to the account holder (owner) and each authorized person (i.e. proxy of account holder) separately?
Subsequently should the limits be applied to all remote payment transactions together or should e.g. card transactions and credit transfers be counted separately. Also should the limit be applied to all cards belonging to one person together or should the limit be applied to each card separately?
2019_4638, EBA answer dated 26/04/2019
Question: Could three months’ data, showing wide usage of the dedicated interface, produced in one Member State by a regulated entity (ASPSP) belonging to an ASPSP Group, be used as evidence to support the ‘widely used’ condition in a further Member State for a separate regulated entity (ASPSP) belonging to the same ASPSP Group, on the condition that both entities employ the same dedicated interface?
2019_4630, EBA answer dated 26/04/2019
Question: Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?
2019_4507, EBA answer dated 26/04/2019
Question: Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates?
2018_4432, EBA answer dated 26/04/2019
Question: Do Account servicing payment service providers (ASPSPs) have to check that third party providers (TPPs) are authorised to operate in their Member State via freedom to deliver services passporting? If so, how shall this be done?
2018_4439, EBA answer dated 12/04/2019
Question: Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?
2018_4163, EBA answer dated 12/04/2019
Question: Article 33, § 6 of the RTS for strong customer authentication and common and secure open standards of communication (the “RTS”) provides that “Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism […]” (the “fall back exemption”). a) Which authority – the home authority or the host authority ?- is the compentent authority under article 33, § 6 of the RTS, when the “fall back exemption request” concerns the dedicated interface used in a Member state where a branch of the ASPSP is located? b) Does the answer differ if the same dedicated interface is used in the home member state and in the host member state where a branch is located?
2019_4609, EBA answer dated 29/03/2019
Question: How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?
Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?
2018_4140, EBA answer dated 22/03/2019
Question: If an Account Servicing Payment Service Providers (ASPSP) is denied the waiver to the fall-back by a National Competent Authority (NCA) (i.e. at 13 September 2019), will the ASPSP still have 2 months to build the fall-back?
2018_4360, EBA answer dated 08/03/2019
Question: Has the exemption related to a trusted beneficiary to be applied on an account basis or rather to a list of accounts included in an online banking agreement ? Whose list has to be considered in case of a power of attorney where the initiator is not the account owner ? What happens in case of a shared account where each one holds his own trusted beneficiary lists?
2018_4031, EBA answer dated 01/03/2019
Question: Are card payments that are initiated by the payee only on the basis of (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services, subject to the RTS SCA requirements?
2018_4404, EBA answer dated 01/03/2019
Question: Are the subsequent instance of card payment recurring transactions (other than the first, initial one) and of instalment transactions (again, subsequent to the initial one) transactions initiated by the payee only?
2018_4131, EBA answer dated 01/03/2019
Question: Please clarify whether standing agreements between a customer and a merchant resulting in subsequent billing (irregular or otherwise) to be payee-initiated transactions, and as such excluded from the SCA requirement.
2018_4058, EBA answer dated 01/03/2019
Question: Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?
2018_4359, EBA answer dated 22/02/2019
Question: When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?
2018_4226, EBA answer dated 08/02/2019
Question: What activity can be considered a proper application of strong customer authentication according to the Article 11 Paragraph b of the Commission Delegated Regulation (EU) 2018/389?
2018_4071, EBA answer dated 08/02/2019
Question: Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?
2018_4053, EBA answer dated 08/02/2019
Question: Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?
2018_4366, EBA answer dated 08/02/2019
Question: Article 22, 2(a) states that „personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication“. Is it ok to offer the user a „show password“-button, so the user can verify that correct password has been entered, before fulfilling an authentication?
2018_4128, EBA answer dated 25/01/2019
Question: For the seamless management of the Article 13 exemption, should ASPSPs provide a feature that: 1) informs Acquirers and PISPs whether the payee is included in the payer’s list of trusted beneficiary; and 2) allows Acquirers and PISPs to suggest new entries or amendments to a payer’s list of trusted beneficiaries?
2018_4188, EBA answer dated 25/01/2019
Question: In the context of PIS:
(a) shall the ASPSP, upon initiation of the payment session, provide or make available to the PISP the IBANs/account numbers for all payment accounts from which the user can transfer funds, and the associated currencies; and
(b) shall the ASPSP, in each communication session, provide or make available to the PISP/AISP the name of the payment service user that is accessing the accounts.
2018_4081, EBA answer dated 25/01/2019
Question: Shall names and surnames associated with payment accounts be displayed through the Application Programming Interface (API)??
2018_4123, EBA answer dated 11/01/2019
Question: May the requirement by the ASPSP for the PSU to give additional explicit consent in order to be allowed to use the services provided by TPPs, in addition to the consent given by the PSU to the TPP, be considered an ‘obstacle to the provision of payment initiation services and of account information services’ pursuant to Article 32 of the RTS?
2018_4038, EBA answer dated 11/01/2019
Question: For contactless-only devices that (1) do not have a contact interface and (2) do not support on-device authentication, may the counters for the application of the low-value contactless exemption be reset through an out-of-band mechanism such as a mobile phone application?
2018_4043, EBA answer dated 21/12/2018
Question: Is it acceptable to calculate the fraud rate for the application of the TRA exemption per ETV band?
2018_4068, EBA answer dated 21/12/2018
Question: Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?
2018_4120, EBA answer dated 21/12/2018
Question: Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?
2018_4210, EBA answer dated 21/12/2018
Question: Is the intention that the ’4 times in 24 hour period‘ is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?
2018_4238, EBA answer dated 21/12/2018
Question: Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?
2018_4309, EBA answer dated 21/12/2018
Question: Could the consent to Account Information Service Providers (AISP)/ Payment Initiation Service Provider (PISP) to provide services to a Payment Service User (PSU) also be revoked by the bank directly for PSU’s ease of use and could ASPSPs offer the PSU to generally “opt out” of being able to use the services of bank-independent Third Party Providers (TPPs)?
2018_4176, EBA answer dated 14/12/2018
Question: Does a branch of an EU credit institution operating in another Member State have to prepare separate assessment for its payment related activity and if yes which competent authority shall be responsible for receiving the assessment – is it the competent authority of the host or the home Member State?
2018_4239, EBA answer dated 14/12/2018
Question: Is Article 17 of Regulation (EU) 2018/389 applicable for the payer’s Payment service provider (PSP) for card-based payments?
2018_4172, EBA answer dated 14/12/2018
Question: How should ‚active request for account information‘ by a Payment Service User (PSU) be interpreted the wording of article 36(5)(a)(b) of the RTS SCA?
2018_4144, EBA answer dated 14/12/2018
Question: Must Payment Service Providers (PSPs) submit major incident reports to their home National Competent Authority (NCA) when the cause of the major incident is outside the control of the PSP and when updates on the major incident are dependent on information provided by a third party?
Where there is consolidated reporting of an incident to the EBA/ECB in the context of, for example, card payments schemes, is reporting of the major incident by PSPs to their NCA under PSD2 required?
2018_4048, EBA answer dated 14/12/2018
Question: Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?
2018_4032, EBA answer dated 07/12/2018
Question: Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?
2018_4177, EBA answer dated 09/11/2018
Question: Could Payment Service Providers (PSPs) be allowed to choose between applying SCA or not when a PSU (Payment Service User) accesses payment transactions data older than on the last 90 days without having access to sensitive payment data and for a period of 90 days after its last access using SCA?
2018_4049, EBA answer dated 26/10/2018
Question: Is persistent authentication for wearable devices compliant with the RTS?
2018_4033, EBA answer dated 26/10/2018
Question: May a PSP calculate its fraud rate at the level of individual brand, product or scheme?
2018_4155, EBA answer dated 26/10/2018
Question: Should all audit reports required under Article 3 of the RTS on strong customer authentication and secure communication be monitored by the competent national authorities?
And, what are the consequences if the audit report addressing the audit (referred to in Article 3, paragraph 1 of the RTS) shows significant findings?
2018_4076, EBA answer dated 26/10/2018
Question: Do the TPPs have the right to access trusted beneficiaries lists in write mode??
2018_4065, EBA answer dated 26/10/2018
Question: Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?
2018_4052, EBA answer dated 26/10/2018
Question: Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?
2018_4035, EBA answer dated 26/10/2018
Question: May an authorized PSP other than the issuer and acquirer apply the TRA exemption on the basis of its own fraud rate and risk analysis?
2018_4152, EBA answer dated 26/10/2018
Question: Should the Audit for the implementation of the security measures be incorporated into an existing ISAE3402 report or COS3000 report or should a separate report be used?
If a separate report should be used: Are there any templates available for reporting?
Also, how detailed should the report be? Finally, should both design and operating effectiveness be tested of the requirements stated in the RTS articles?
2018_4153, EBA answer dated 26/10/2018
Question: Are internal auditors able to perform the audits as mentioned in paragraphs 1 and 2 of the RTS on strong customer authentication and secure communication?
Is there a difference in the answer of this question between the audit as referred to in paragraph 1 and 2 of Article 3 of this RTS?
2018_4089, EBA answer dated 19/10/2018
Question: Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?
2018_4090, EBA answer dated 05/10/2018
Question: Article 2(1) of the RTS stipulates that „payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment Transactions…“ and Article 2(2) explains the minimum requirements.
However, Article 2 does not specify timing aspects of the transaction monitoring.
Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?
2018_4039, EBA answer dated 05/10/2018
Question: Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.
2018_4041, EBA answer dated 05/10/2018
Question: For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?
2018_4056, EBA answer dated 21/09/2018
Question: May the exemption for transactions to trusted beneficiaries (‘white-listing’) set out in Article 13 of Regulation (EU) 2018/389 (RTS on strong customer authentication and secure communication) apply to face-to-face transactions?