How does EBA Single Rulebook Q&A clarify SCA ambiguities?

Q: How does the EBA Single Rulebook Q&A clarify ambiguities in SCA?

The EBA Single Rulebook Q&A provides official interpretations of PSD2's SCA requirements, clarifying multi-factor authentication rules, exemptions for low-risk transactions, dynamic linking obligations, and the role of biometrics. It ensures consistent application across the EU, confirming that passkeys, which use phishing-resistant authentication and cryptographic signatures, are compliant with RTS standards.

Want to learn how top banks deploy passkeys? Get our +90-page Banking Passkeys Report (incl. ROI insights). Trusted by JPMC, UBS & QNB.

Get Report

How Does the EBA Single Rulebook Q&A Clarify Ambiguities in SCA?#

The European Banking Authority (EBA) Single Rulebook Q&A serves as an official reference to resolve ambiguities in the interpretation and implementation of PSD2’s Strong Customer Authentication (SCA) requirements. It provides clarifications for financial institutions, payment service providers, and regulators on how to correctly apply Regulatory Technical Standards (RTS) for SCA.

Key Areas Where the EBA Single Rulebook Clarifies SCA Requirements#

1. Defining Multi-Factor Authentication (MFA) Under PSD2#

The Q&A specifies that authentication factors must be independent and meet high security standards.
Clarification: Passkeys, which combine biometrics (something you are) and a hardware-based credential (something you have), are explicitly recognized as compliant with SCA.

2. Exemptions and Low-Risk Transactions#

The RTS outlines specific exemptions where SCA is not required, but some scenarios remained unclear.
Clarification: The EBA has provided detailed guidance on how Transaction Risk Analysis (TRA) can be applied for low-risk payments.
Example: Recurring payments and trusted beneficiaries may be exempt from SCA if they meet defined risk thresholds.

3. Dynamic Linking Requirements for Payments#

PSD2 mandates dynamic linking, ensuring that authentication is tied to the transaction details.
Clarification: The Q&A confirms that cryptographic signatures must link the transaction amount and recipient details to the authentication process.
Best Practice: Passkeys meet this requirement because they sign each transaction securely using WebAuthn cryptographic methods.

+70-page Enterprise Passkey Whitepaper:
Learn how leaders get +80% passkey adoption. Trusted by Rakuten, Klarna & Oracle

Get free Whitepaper

4. Use of Biometrics and Device-Bound Credentials#

The EBA has addressed questions about whether biometric authentication alone satisfies SCA.
Clarification: Biometrics must be combined with another authentication factor (e.g., a secure passkey) to be SCA-compliant.
Passkeys inherently meet this requirement when using platform authenticators (Face ID, Windows Hello, etc.).

5. Cross-Border and Interoperability Concerns#

Many financial institutions raised concerns about how SCA should work across different EU member states.
Clarification: The EBA has specified that SCA must be applied uniformly across the EU, ensuring consistent security regardless of where a payment is initiated.

How Do Passkeys Align With EBA Guidance?#

Phishing resistance: Passkeys provide a secure alternative to passwords and OTPs, aligning with EBA’s recommendations for strong authentication.
Hardware security: Stored in Secure Enclave (Apple), TPM (Windows), or TEE (Android), passkeys meet RTS security requirements.
Dynamic linking: Passkeys cryptographically sign transaction details, ensuring compliance with EBA-mandated security measures.

Conclusion#

The EBA Single Rulebook Q&A clarifies PSD2’s SCA requirements, ensuring that financial institutions correctly interpret regulatory standards. Passkeys align with EBA’s clarifications, offering a compliant, secure, and user-friendly authentication method that satisfies multi-factor authentication, dynamic linking, and phishing resistance.