obOpen Banking Lab
GlossarySTETBlogContact
Regulation

EBA

European Banking Authority

The European Banking Authority. It writes the technical standards (RTS) and guidelines that every bank and fintech in the EEA must apply.

See also:ACPRBanque de FranceCommission EuropéenneASPSPTPP

Definition

The EBA (European Banking Authority) is the European banking authority, based in Paris since 2019.

When it comes to DSP2, it is the body that drafts the technical standards (RTS, Regulatory Technical Standards) and the guidelines that all European players — banks, fintechs, TPPs — must apply to become compliant.

EBA, ACPR, Commission: three distinct jobs

  • European Commission — writes the directives, the framework law (DSP2, DSP3, FIDA).
  • EBA — translates them into binding technical standards (RTS) and best practices (guidelines).
  • ACPR — enforces them in France: licensing of PSPs, supervision, sanctions.

In other words: the Commission decides, the EBA specifies, the ACPR enforces.

What the EBA produces for DSP2

  • RTS-SCA (September 2019): Strong Customer Authentication rules (3DS2, exemptions, dynamic linking).
  • Guidelines on fraud, fallback and API availability (monthly uptime target).
  • Central PSP register (EBA Register): the reference database for checking that a TPP is licensed.
  • Opinions and advice: interpretation of use cases (mobile, expected behaviour during an API outage).

What the EBA does not do

  • It does not grant licences: that is each national authority (ACPR, BaFin, FCA).
  • It does not directly sanction PSPs: it flags and recommends, the sanction falls to the national regulator.
  • It does not make the law: it operationalises the directives, it does not propose them.

In the PSD2 ecosystem

The EBA is the European technical referee: banks and TPPs rely on its publications to know "how" to comply, and on its register to verify that a partner is licensed.

Concrete examples

  • Checking a TPP: before onboarding a partner (Bridge, Tink, Fintecture), you consult the EBA Register to confirm its status and its European passport.
  • Choosing an SCA method: the EBA spells out the exemption conditions (low amount, recurring payment, trusted beneficiary), useful for optimising a checkout.
  • Anticipating DSP3 / FIDA: its opinions and discussion papers foreshadow the next generation of rules — the best source for understanding which way the wind is blowing.
  • Fraud reporting: PSPs' quarterly fraud reporting is set by its guidelines — a point of vigilance for any scaling fintech.

Sources

Back to glossary