Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Type of submitter:
Subject Matter:
Information to be provided / made available by ASPSP to payment initiation service provider (PISP)

In the context of PIS:

(a) shall the ASPSP, upon initiation of the payment session, provide or make available to the PISP the IBANs/account numbers for all payment accounts from which the user can transfer funds, and the associated currencies; and

(b) shall the ASPSP, in each communication session, provide or make available to the PISP/AISP the name of the payment service user that is accessing the accounts.

Background on the question:

ASPSPs have under the RTS the optionality to offer a dedicated interface and there is a debate about what data elements should be available to the PISP through such interface. As such it is of importance that the market gets clarity on this topic.

Question a) is based on PSD2 Article 4(32) that specifically states that the account number does not constitute sensitive payment data. Similarly, if the PSU has accounts in different currencies, the PSU needs to be able to choose from which account the payment transaction should be made, allowing the PSU to pay in the same currency as the item/service he is buying is priced in (or else the PSU would be subject to unnecessary FX transaction fees).

Question b) is based on Article 4(32) PSD2 specifically states that ‘sensitive payment data’ means data, including personalised security credentials which can be used to carry out fraud. For the activities of payment initiation service providers and account information service providers, the name of the account owner and the account number do not constitute sensitive payment data and may is needed e.g. in order to support refunds to PSUs.

Date of submission:
Published as Final Q&A:
EBA Answer:

a) Article 66(3)(f) PSD2 states that payment initiation services (PIS) providers shall not request from the payment service user any data other than those necessary to provide the payment initiation service. It follows from this provision that the account servicing payment service provider (ASPSP) is only required to provide or make available the information necessary for the provision of the PIS. As it is always the payment service user that specifies the account the transaction shall be initiated from, there is no need for the ASPSP to provide or make available to the PIS provider a list with all the account numbers of the payment service user and the associated currencies, as long as this would not create obstacles for the provision of PIS as per Article 32(3) of the Commission Delegated Regulation 2018/389.

b) Q&A 2018_4081 sets out that ASPSPs shall provide or make available the name of the Payment Service User (PSU), if it is necessary for the provision of the PIS or the account information service.

*As of 10/05/2019 a clarification was added to this answer where the new text is underlined.



This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Final Q&A