Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Name of institution / submitter:
Central Bank of Malta
Country of incorporation / residence:
Type of submitter:
Competent authority
Subject Matter:
Dynamic Linking for batch payments

With regards to dynamic linking for a batch of remote electronic payments, should the authentication code be linked to each and every IBAN of all the beneficiaries in a batch file?

Background on the question:

Article 5 of the RTS on SCA and CSC mandates that when payment service providers apply strong customer authentication, the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction. Moreover, in relation to the execution of a batch of remote electronic payment transactions, Article 5(3)(b) states that the authentication shall be specific to the total amount of the batch of payment transactions and to the specific payees.

While dynamic linking for single payment transactions can be can be relatively easy to implement, as there is a single IBAN and amount, the market is concerned on how this can be achieved on a technical level for batch payment transactions when potentially the batch file might contain thousands of different IBANs.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 5(3)(b) of the Commission Delegated Regulation (EU) 2018/389 states that “in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees”.

In this regard, the payment service provider should dynamically link the authentication code for a batch of remote electronic payment transactions to every single payee included in that batch. In the cases where an IBAN is used for the identification of the payee, the IBAN of each payee need to be linked dynamically to the authentication code.

In addition, in line with the requirements of Article 5(1)(d) of the Delegated Regulation, it has to be assured that any modification, addition or deletion of any IBAN (or similar type of unique identifier) results in an invalidation of the authentication code.

Q&A 2019_4556 provides further details on the identification of the payee and the generation of the authentication code.

Final Q&A