Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Name of institution / submitter:
European Payment Institutions Federation (EPIF)
Country of incorporation / residence:
Type of submitter:
Industry association
Subject Matter:
Trusted Beneficiary exemption – Management of the exemption, information flows between PSPs in the payment transaction

For the seamless management of the Article 13 exemption, should ASPSPs provide a feature that: 1) informs Acquirers and PISPs whether the payee is included in the payer’s list of trusted beneficiary; and 2) allows Acquirers and PISPs to suggest new entries or amendments to a payer’s list of trusted beneficiaries?

Background on the question:

A payer can create a list of trusted beneficiaries through their ASPSP, as stipulated by Article 13.

We can imagine payment situations and use cases where performing a strong customer authentication by the ASPSP could prove difficult, lengthy, or complex. Therefore, merchants would be willing to propose SCT based payments only when having a reasonable chance that no SCA will be required. Additionally, merchants could understandably be very reluctant to communicate their IBAN to their customers in order for them to add them to their Trusted Beneficiary List.

To ensure a seamless customer experience, it would be beneficial for an Acquirer or PISP to allow payers to be able, in a secure and controlled way to trigger the addition to the Trusted Beneficiary List (at the time of a customer registration, or upon a first transaction, which would require an SCA) through the ASPSP or to be able to query the list in order to check whether he is on the list and has a reasonable chance to avoid the ASPSP to require an SCA.

Date of submission:
Published as Final Q&A:
EBA Answer:

It follows from Article 66(3)(f) and (g) PSD2 that account servicing payment service providers (ASPSPs) shall provide payment initiation services (PISPs) with or make available the information required for the provision of the payment initiation service (PIS). As it is ultimately the ASPSP that applies strong customer authentication (SCA) or decides whether or not to apply an exemption, including the exemption on trusted beneficiaries as stated in Article 13 of the Commission Delegated Regulation (EU) 2018/389, the information as to whether or not a payee is on the list of trusted beneficiaries is not necessary for the provision of the PIS. This may be different if the ASPSP and the PISP agree that SCA is performed by the PISP and if it is agreed that the PISP is allowed to apply the exemption in Article 13.

In as far as acquirers are concerned, paragraph 45 of the EBA opinion on the implementation of the RTS on SCA and common and secure communication, EBA-Op-2018-04, June 2018 clarifies that the exemption laid down in Article 13 of the Commission Delegated Regulation (EU) 2018/389 applies to both credit transfers and card-based transactions. However, in both cases the payee’s Payment Service Provider (PSP) is not allowed to apply this exemption (see also table 2 in the EBA opinion on the implementation of the regulatory technical standards on SCA and common and secure communication, EBA-Op-2018-04, June 2018, paragraph 40). From this it follows that the ASPSP is not obliged to inform the acquirer if the payee is included on the trusted beneficiaries list, and by extension is not obliged to share the trusted beneficiaries list with the acquirer or payee.

As regards the second question, Article 13 of the Commission Delegated Regulation (EU) 2018/389 outlines that the PSP shall apply SCA where a payer creates or amends a list of trusted beneficiaries through its ASPSP. This therefore means as highlighted in Q&A 2018_4076 that the beneficiary list is maintained by the ASPSP, but created by the payment service user (PSU) and can only be changed or amended by the PSU in the ASPSPs domain. It follows that no suggestions for new entries or amendments are allowed to be made by PSPs to the PSU’s list of trusted beneficiaries within the ASPSPs domain, but ASPSPs can design their banking environment in such a way that it would be easy for a PSU to add a new trusted beneficiary to its own list within the ASPSPs domain.


This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.


Final Q&A