--- url: 'https://www.corbado.com/faq/eba-single-rulebook-sca-clarifications' title: 'How does EBA Single Rulebook Q&A clarify SCA ambiguities?' description: 'The EBA Single Rulebook Q&A clarifies ambiguities in SCA by providing official interpretations of PSD2 compliance requirements.' lang: 'en' keywords: 'EBA Single Rulebook, SCA clarification' --- # How does EBA Single Rulebook Q&A clarify SCA ambiguities? ## How Does the EBA Single Rulebook Q\&A Clarify Ambiguities in SCA? The **European Banking Authority (EBA) Single Rulebook Q\&A** serves as an **official reference** to resolve **ambiguities in the interpretation and implementation of PSD2’s Strong Customer Authentication (SCA) requirements**. It provides **clarifications for financial institutions, payment service providers, and regulators** on how to correctly apply **Regulatory Technical Standards (RTS) for SCA**. ## Key Areas Where the EBA Single Rulebook Clarifies SCA Requirements ### 1. Defining Multi-Factor Authentication (MFA) Under PSD2 - The Q\&A specifies that **authentication factors must be independent** and meet **high security standards**. - **Clarification:** **Passkeys**, which combine **biometrics (something you are) and a hardware-based credential (something you have), are explicitly recognized as compliant with SCA.** ### 2. Exemptions and Low-Risk Transactions - The RTS outlines **specific exemptions** where SCA is not required, but some scenarios remained unclear. - **Clarification:** The EBA has provided **detailed guidance** on how **Transaction Risk Analysis (TRA) can be applied** for low-risk [payments](https://www.corbado.com/passkeys-for-payment). - **Example:** Recurring [payments](https://www.corbado.com/passkeys-for-payment) and trusted beneficiaries **may be exempt from SCA if they meet defined risk thresholds**. ### 3. Dynamic Linking Requirements for Payments - [PSD2](https://www.corbado.com/blog/psd2-passkeys) mandates **dynamic linking**, ensuring that authentication is tied to the transaction details. - **Clarification:** The Q\&A confirms that **cryptographic signatures must link the transaction amount and recipient details to the authentication process**. - **Best Practice:** **Passkeys meet this requirement** because they sign each transaction securely using **WebAuthn cryptographic methods**. ### 4. Use of Biometrics and Device-Bound Credentials - The EBA has addressed questions about whether **biometric authentication alone satisfies SCA**. - **Clarification:** Biometrics **must be combined with another authentication factor** (e.g., a secure passkey) to be SCA-compliant. - **Passkeys inherently meet this requirement** when using **platform authenticators (Face ID, Windows Hello, etc.)**. ### 5. Cross-Border and Interoperability Concerns - Many financial institutions raised concerns about how SCA should work **across different EU member states**. - **Clarification:** The EBA has specified that **SCA must be applied uniformly across the EU**, ensuring **consistent security** regardless of **where a payment is initiated**. ## How Do Passkeys Align With EBA Guidance? - **Phishing resistance**: Passkeys provide a **secure alternative** to passwords and OTPs, aligning with **EBA’s recommendations** for **strong authentication**. - **Hardware security**: Stored in **Secure Enclave (Apple), TPM (Windows), or TEE (Android)**, passkeys meet **RTS security requirements**. - **Dynamic linking**: Passkeys cryptographically sign transaction details, ensuring compliance with **EBA-mandated security measures**. ## Conclusion The **EBA Single Rulebook Q\&A clarifies** [PSD2](https://www.corbado.com/blog/psd2-passkeys)’s **SCA requirements**, ensuring that financial institutions **correctly interpret regulatory standards**. **Passkeys align with EBA’s clarifications**, offering a **compliant, secure, and user-friendly authentication method** that satisfies **multi-factor authentication, dynamic linking, and phishing resistance**. ## Read the full article