On 14 March 2019, the CSSF issued two circulars relating to aspects of PSD21 addressed in two sets of guidelines of the European Banking Authority ("EBA"), with which the CSSF commits to comply and which are annexed to these circulars:

  • Circular 19/712 relates to guidelines EBA/GL/2018/05, which provide details on statistical data on fraud related to different means of payment that payment service providers have to report to their competent authorities as well as on the aggregated data that competent authorities have to share with the EBA and the European Central Bank as provided by Article 105-2 (3) of the Law of 10 November 2009 on payment services, as amended ("Law"). It will be applicable as of 1 January 2020.
  • Circular 19/713 encompasses EBA guidelines EBA/GL/2017/17 on the security measures for operational and security risks of payment services as set out in Article 105-1 (2) of the Law. It became applicable with immediate effect. These guidelines provide details with regard to (i) the annual auditing requirements as regards the security measures taken, and (ii) the annual reporting requirements regarding the assessment of major operational and security risks.

In addition, on 15 March 2019, two regulations of the European Commission were published relating to the practical implementation of the PSD2 requirement imposing on EBA to develop, operate and maintain an electronic central register containing information on payment service providers in the EU Member States:

These regulations entered into force on 4 April 2019.


1. Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.