List of Q&As

Clarification of remote payment for dynamic linking

Is a SEPA Credit Transfer (SCT) transaction, whereby a user mobile phone interacts locally via Near Field Communication (NFC) with a merchant payment terminal to initiate the SCT transaction, whereby the user mobile phone does not communicate remotely over a mobile network for this purpose but whereby the payment terminal connects on-line to a payment system and handles the required strong customer authentication (SCA) through this on-line channel, considered an electronic remote payment transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5247| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 12/05/2020

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5224| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 29/04/2020

Elements of possession (SIM card) and knowledge (knowledge-based responses to challenges or questions)

1. Can evidence of possession (SIM card) can also be verified by reading and identifying the phone number used for the phone call?2. Can a knowledge element be based on a) transaction history of the customer; b) contact information of the customer?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5215| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 21/04/2020

Obstacles to the payment initiation service

Can the impossibility for a Third Party Provider (TPP) to add new beneficiaries for payment initiation, coupled with the impossibility to initiate payments for unregistered beneficiaries, be considered as an obstacle? Besides, as a subsequent question, are delays up to 48 hours in the registration of new beneficiaries an obstacle?

Legal act: Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876 (CRR2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5184| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 23/03/2020

Acquisition and money remittance payment service

Can a payment institution (PI) which provides a payment service of acquiring of payment transactions for its users can provide this service without holding payment account.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5181| Topic: Authorisation and registration| Date of submission: 20/03/2020

Individual's name to return in AISP/PISP calls

Is the name returned in an Account Information Service Provider (AISP) / Payment Initiation Service Provider (PISP) call expected to be that of the Payment Service User (PSU) who has initiated the transaction with the Third Party Provide (TPP), or of the actual account owner/holder?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2020_5165| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 09/03/2020

Payment Initiation Scope and Trusted Beneficiaries

Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5135| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 18/02/2020

SCA for staff assisted electronic channel

Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5124| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 13/02/2020

Using Trusted Beneficiary Lists to Auto Reject PISP Transactions

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5115| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 10/02/2020

Data breakdown on fraud by different card functions for cash withdrawals

Does the breakdown on “card payments by fraud types” in Table E of the EBA Guidelines on fraud reporting under PSD2 refer only to cards with a credit/delayed debit function?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5056| Topic: Fraud reporting| Date of submission: 19/12/2019

Contingency Measures under Article 33

Does fallback access to a secondary instance of the dedicated interface in a different data center with dedicated resources, provide an acceptable strategy and plan for the contingency mechanism?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_5054| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 19/12/2019

Recording of card payments

If a card has both an e-money and non e-money function, how should a payment be recorded? Should the recording be different based on the type of the reporting institution (for example, depending on whether is an electronic money institution (EMI) or a bank)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5046| Topic: Fraud reporting| Date of submission: 13/12/2019

Recording of e-money

If a card issued by an E-money institution has a cash function, how should the cash withdrawal from that card be recorded? Should it be recorded on the debit card withdrawal, as the E-money breakdown section does not include a cash withdrawal category?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5044| Topic: Fraud reporting| Date of submission: 12/12/2019

Direct debts fraud reporting

In relation to the direct debits fraud, please clarify the reporting criteria for direct debit fraud.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5043| Topic: Fraud reporting| Date of submission: 12/12/2019

Reporting of PISP transactions

Should payment initiation service provider (PISP) initiated payments be reported under both Table A (1.1) and Table H (8.x)? More specifically how should these transactions be reported where the customer initiates a payment via a PISP, from their bank account, to one of their payees flagged in the bank’s online channel as “trusted beneficiaries” (Article 13 of the RTS on SCA&CSC).

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5042| Topic: Fraud reporting| Date of submission: 12/12/2019

Reporting of PISP initiated payments

Is there a requirement to segregate the Payment Initiation Service Provider (PISP) initiated payments which were executed without Strong customer authentication (SCA), by the relevant availed exemption used? Or are PISP initiated payments, only required to be presented in Bulk (Value, Volume, SCA/Non-SCA)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5041| Topic: Fraud reporting| Date of submission: 12/12/2019

Reporting of fraud by the acquirers

Regarding the fraud definition, could you please clarify how the following fraud examples should be classified by the acquirers

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5039| Topic: Fraud reporting| Date of submission: 12/12/2019

Online foreign exchange

Does the business of foreign currency exchange-Forex require an authorisation as payment institution under PSD2, provided that: (a) the currency exchange takes place via online exchange platform; and (b) the client deposits certain base in cash or sends it by bank transfer to a bank account of the Forex company; and (c) the client receives the quote (exchanged) currency in an online client account in the platform from where the exchanged amount may be sent to a client's bank account or may be withdrawn in cash at the Forex company's offices?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2019_5019| Topic: Authorisation and registration| Date of submission: 26/11/2019

Perdite dovute a frode per portatore di responsabilità / Losses due to fraud per liability bearer

Please clarify the requirement in guideline 1.6 (b) of the EBA Guidelines on fraud reporting under PSD2 with regard to recognising losses due to fraud per liability bearer.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)

ID: 2019_5008| Topic: Fraud reporting| Date of submission: 19/11/2019

"push based" authentication and SCA requirements

Do "push based" authentication fall in the Strong customer authentication (SCA) requirements, based on the security risks "push authentication" poses?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4984| Topic: Strong customer authentication and common and secure communication (incl. access)| Date of submission: 05/11/2019