How does EBA Single Rulebook Q&A clarify SCA ambiguities?

The European Banking Authority (EBA) Single Rulebook Q&A serves as an official reference to resolve ambiguities in the interpretation and implementation of PSD2’s Strong Customer Authentication (SCA) requirements. It provides clarifications for financial institutions, payment service providers, and regulators on how to correctly apply Regulatory Technical Standards (RTS) for SCA.

• The Q&A specifies that authentication factors must be independent and meet high security standards.
• Clarification: Passkeys, which combine biometrics (something you are) and a hardware-based credential (something you have), are explicitly recognized as compliant with SCA.

• The RTS outlines specific exemptions where SCA is not required, but some scenarios remained unclear.
• Clarification: The EBA has provided detailed guidance on how Transaction Risk Analysis (TRA) can be applied for low-risk payments.
• Example: Recurring payments and trusted beneficiaries may be exempt from SCA if they meet defined risk thresholds.

• PSD2 mandates dynamic linking, ensuring that authentication is tied to the transaction details.
• Clarification: The Q&A confirms that cryptographic signatures must link the transaction amount and recipient details to the authentication process.
• Best Practice: Passkeys meet this requirement because they sign each transaction securely using WebAuthn cryptographic methods.

• The EBA has addressed questions about whether biometric authentication alone satisfies SCA.
• Clarification: Biometrics must be combined with another authentication factor (e.g., a secure passkey) to be SCA-compliant.
• Passkeys inherently meet this requirement when using platform authenticators (Face ID, Windows Hello, etc.).

• Many financial institutions raised concerns about how SCA should work across different EU member states.
• Clarification: The EBA has specified that SCA must be applied uniformly across the EU, ensuring consistent security regardless of where a payment is initiated.

• Phishing resistance: Passkeys provide a secure alternative to passwords and OTPs, aligning with EBA’s recommendations for strong authentication.
• Hardware security: Stored in Secure Enclave (Apple), TPM (Windows), or TEE (Android), passkeys meet RTS security requirements.
• Dynamic linking: Passkeys cryptographically sign transaction details, ensuring compliance with EBA-mandated security measures.

The EBA Single Rulebook Q&A clarifies PSD2’s SCA requirements, ensuring that financial institutions correctly interpret regulatory standards. Passkeys align with EBA’s clarifications, offering a compliant, secure, and user-friendly authentication method that satisfies multi-factor authentication, dynamic linking, and phishing resistance.