Last editedMay 2023 16 min read
PSD2 is the principal European regulation for electronic payment services. It is the second iteration of the Payment Service Providers Directive created in 2007, and the main differences from the first one are:
Consumer protection and security in the payments market
Boost competition, innovation and expedite the development of new payment methods
These two changes immediately impacted customer authentication processes and third-party access to consumer accounts. To increase consumer protection, the regulation stipulated stronger security requirements for online transactions, introducing initiatives such as multifactor authentication (MFA).
On the competition and innovation front, the use of application programming interfaces (APIs) opens up the floodgates of access to information by third-party providers (TPPs). Given customer consent, Third-Party Payment Services Providers can access information and build new payment solutions.
The European Banking Authority (EBA) established an industry working group on APIs to identify roadblocks and challenges that emerged as the industry geared up to adopt the new regulation.
What is PSD2?
The Second Payment Services Directive, otherwise known as PSD2, is an EU Regulation. It aims to harmonise the operations of payment services in the European Economic Area (EEA).
In this article, we’ll demystify PSD2 and explain how its requirements are relevant to your business, and what actions you should take next.
PSD2 has been designed to increase competition by creating a level playing field for both banks and non-banks. It removes the monopoly banks have on the use of customer data, allowing other businesses to use that data as well, with the customer’s permission. For example, when shopping online, an e-commerce provider can retrieve a customer’s bank account data and take their payment without redirecting them to another service, such as PayPal. This creates a faster and more streamlined payment experience for the customer.
PSD2 has existed since 16 November 2015 and builds on the original Payment Services Directive (PSD), introduced in 2007. The new iteration brings important changes for businesses that take payments from customers in the EEA.
EU countries had until 13 January 2018 to incorporate it into national law.
What is the difference between Open Banking and PSD2?
Open banking was introduced by the Competition and Markets Authority, as a result of the requirements of the wider PSD2 legislation. Open banking developments were leveraged in the UK to increase competition in financial consumer markets, by allowing non-bank Payment Service Providers (PSPs) to access customer transactional data, with their consent.
The difference between open banking and PSD2 lies in how the banks open up their data to third parties. PSD2 simply requires them to do so, while open banking specifies a standard format for the process.
An example of open banking is a money management dashboard that combines multiple bank accounts for an overall picture of a person’s financial health. Open banking is also useful for lending, where customers can provide their financial information online in order to be approved for a loan more quickly.
Open banking also improves the online payment process, allowing customers to make payments directly from their bank account, which can directly authenticate the transaction.
PSD2 and Strong Customer Authentication
Under PSD2, online payments will require more stringent customer authentication for numerous kinds of transactions, including high-value and recurring payments.
This is known as Strong Customer Authentication (SCA), and it is designed to enhance customer protection.
SCA, which came into force in September 2019, is an essential feature for any merchant that accepts customer payments online from within the European Economic Area (EEA).
SCA is designed to keep customers safe online in this new era of increased openness. Previously, it was common for customers paying online to identify themselves with a username and password, but this is a cumbersome process, with users often forgetting their credentials.
To comply with the strong customer authentication requirements, payment providers need to confirm customer identity through at least two independent pieces of information. These pieces of information can be organised into three categories:
Something they own (e.g., smartphone)
Something they know (e.g., PIN code)
Something they are (e.g., fingerprint)
Previously, only the first of these categories were required; typically a password. Now, for a transaction to be confirmed and accepted, at least two of the conditions must be fulfilled.
For more information on using SCA, we’ve produced a detailed guide to strong customer authentication.
Who is impacted by the PSD2, and why should you care?
If you take recurring payments from your customers, using Direct Debit (sometimes referred to as bank debit) can help you avoid these issues. A paperless Direct Debit service, which GoCardless offers, is not within the scope of SCA.
GoCardless is already fully compliant with all aspects of PSD2, so your business can process recurring payments without worrying about being in breach of the new regulations. Start taking Direct Debit payments today.
The impact of PSD2 on consumers
PSD2 was designed to improve the customer payment experience, so it should have positive implications for those who make transactions online:
Their online transactions are becoming safer and more streamlined
They have access to features that can improve their spending, budgeting, and investing habits
Integrating services that make life easier (e.g., a loan provider can instantly assess your loan suitability without the manual hassle of retrieving docs and data
For more information on PSD2’s main benefits for consumers and businesses, we’ve produced a detailed FAQ — Frequently Asked Questions.
The impact of PSD2 on businesses
The main impact of PSD2 regulations will involve the mandatory use of SCA. This is absolutely vital if your customers pay online by credit or debit card.
Though the ‘responsibility’ to implement SCA lies with your payment service provider, you need to be aware of how SCA is likely to impact your business:
Risk of drop off: In theory, SCA aims to strengthen customer confidence in online shopping by cutting fraud. As a business, you’ll need to balance this new layer of customer security with ensuring their buying experience is as streamlined as possible. Getting the buying process right while maintaining PSD2 and SCA compliance is not always easy. Anything less than a smooth buying experience risks frustrating your customer and leading them to abandon purchases.
Shifts in chargeback liability: This shift is likely to benefit you as the merchant, especially if you use 3DS2 to meet SCA requirements. The card issuers have agreed to take on chargeback liability as an added incentive for merchants to use 3DS2. You can read more about this in our guide to 3DS2.
Added resource burden: Making changes to your payments process to accommodate SCA regulations can be burdensome for your business, as you’ll need to set aside time, money, and expertise to make sure it’s done correctly.
The impact of PSD2 on banks
PSD2 essentially asked banks to open their payment interfaces to external service providers and share all information that was previously exclusively theirs. Viewing your bank account balance is no longer a banking prerogative.
While that might seem like a negative, industry disruption is something banks can benefit from. First and foremost, it gives them the opportunity to create new revenue streams by introducing new products and services.
Banks can additionally become information centres and trusted advisors to people who want to explore open banking. As long as banks embrace the changes proposed by the directive, they have the same opportunities as any other financial provider on the market.
How are APIs important for the enforcement of PSD2? What’s their purpose?
APIs allow users to exchange data in a secure and controlled environment, which is one of the core pillars of PSD2.
Apart from transferring data and enabling the sharing of payment account information between third-party providers, it can also be a new way to create new revenue streams — opening doors for options like integrations, payment gateways, reports, and more.
Are there any PSD2 exemptions?
PSD2 specifies some exemptions to the application of strong customer authentication (SCA) in certain situations:
Low-risk transactions
Payments below £30
Fixed-amount subscriptions
Merchant-initiated transactions
Trusted beneficiaries
Phone sales
Corporate payments
PSD2 legislation in the UK
The second Payment Services Directive is a very significant part of the ongoing banking revolution in the United Kingdom, even after Brexit. Whenever local legislators try to push for innovation and promote initiatives in the financial sector, this regulation is always strongly considered.
The main regulator in the UK is the Competition and Markets Authority (CMA). This institution is responsible for monitoring and implementing PSD2 and associated regulations.
Most of the goals of the UK’s and EU’s governments are the same, with both focusing on a competitive market for digital payments that are safer and more efficient.
The United Kingdom is one of the main open banking “players” in Europe
The UK, as the global leader in open banking innovation, has shown initiative to remain at the helm, not only from a business standpoint but also from a regulatory standpoint. There are, however, more documents of equal significance to PSD2 in the United Kingdom, whereas, in other EEA countries, it’s mostly a standalone regulation.
Even so, just as with PSD2, the UK’s own regulations require banks to share relevant with third-party providers (TPPs), maintaining a relentless focus on personal data protection
Revised Payment Services Directive legislation in the EU
The second Payment Services Directive has had a widespread effect not only on the whole financial market but in the daily life of every consumer in the EEA.
Primarily focused on Payment Initiation and Account Information services, both essential to digital finance, PSD2 demands better data security and transaction transparency.
There are a few basic concepts that can help us better understand open banking and the way it's intended to be implemented. They refer to the parties involved in this process, as well as mechanisms that manage their interactions:
What are Account Information Services Providers (AISP)?
Account Information Services (AIS) are foundational to PSD2, enabling businesses and consumers to share their data with third-party providers. AIS is primarily used for dissecting, analysing, and exploring data sets, such as transactions, balances, direct debits, and standing orders, to provide valuable and actionable financial insights.
Account Information Service Providers (AISPs) offer online services which can provide a consolidated view of a consumer’s payment accounts, focusing on aggregating personal financial information. Storing all these data in one unified place helps simplify tasks like budgeting, expense tracking or suggestions on how to save money.
What are Payment Initiation Services Providers (PISP)?
On the opposite side of the spectrum, Payment Initiation Services (PIS) are what we know as online payments. It’s the process of inserting our banking credentials to complete a purchase.
Although payment initiation services already existed before the PSD2 Directive came into full effect, the directive has opened up the competition playing field. Banks are obliged to open their customers’ data up to third parties upon customer request, meaning PIS can be utilized by more market participants.
These new players act as intermediaries between financial institutions and merchants, allowing the issuance of direct transfers given that authorization by customers has been granted. Payment Initiation Service Providers (PISP) initiate payment transactions at the request of the consumer from an account held by the consumer at another payment service provider.
Third-party providers have to comply with strict requirements on how transactions can be authorised. These regulations are often described as a limitation to innovation but are paramount to ensuring that open banking remains safe.
PSD2 and GDPR: how do they work together?
The General Data Protection Regulation (GDPR) came into effect in the spring of 2018, at about the same time as the PSD2. The financial industry has been struggling, ever since, with questions about the interplay between these two regulatory measures.
Both GDPR and PSD2 provide a statutory and regulatory framework for PSPs offering payment services in the EU or EEA. Together, they guarantee the basic principles for data protection and transparency, while also ensuring the successful operation of businesses.
In short, PSD2 has the ultimate goal of opening financial data, whilst GDPR aims to protect and secure consumer personal data. This allows end users to better understand and control the information flow and the purpose of its usage.
The main point of convergence between the two sets of regulations is the emphasis on individual consent.
Example of how PSD2 and GDPR work together
If, for instance, a customer requires sharing their Personally Identifiable Information (PII) with a third party, PSD2 forces TPPs to share that information. On the other hand, if a customer wishes to have their PII deleted, GDPR obliges them to abide by this request.
There is also the possibility of penalties for not complying with the aforementioned legislation. Failure to comply with PSD2 and GDPR can lead to hefty fines.
When the rules of GDPR are breached, fines can go up to €10M, or 2% of global turnover. This might seem insignificant, but we have to keep in mind that some multinational companies have billions of euros in revenue per year.
PSD2 fines can be less brutal and depend solely upon the Member States and their penalty definitions — resulting in a fine-free policy in some circumstances.
Financial institutions should, nevertheless, define a clear path of action in order to become compliant with both regulations. Doing so will also allow them to avoid any conflicts between PSD2 and GDPR and prevent any impediment to innovation.
Important points of action that companies should take into consideration
Precise automated decisions: ensure that there is no profiling, as GDPR prohibits it. Moreover, be prepared to justify any automated action in case of consumer inquiries
Oversee Data Protection Impact Assessment (DPIA)
Ensure that new services have an integrated data protection protocol
Be assured that it is possible to delete all consumer data on request
PSD2 QWAC: a certificate to rule them all
QWAC is an abbreviation for Qualified Website Authentication Certificate, a digital token that consists of the characterisation of trusted services, defined in the Electronic Identification And Trust Services (eIDAS Regulation).
According to the eIDAS Regulation, trust services are usually delivered by Trust Service Providers (TSPs). This includes, but is not limited to:
Electronic signatures
Various seals
Time stamps
Website authentication data
Delivery services
QWACs are employed to guarantee proper authentication between a website and a legally-bound entity. If a website displays a QWAC, this signals that it is legitimate.
This QWAC ensures sensitive data encryption and the identification of PSPs or other financial institutions, as well as their compliance with PSD2 rules.
According to PSD2’s Regulatory Technical Standards (RTS), QWAC certificates are used to support the PSP’s identity and secure communication paths.
As previously mentioned, QWAC are utilised in two ways — verification of the involved parties and affirmation of the use of Transport Layer Security Encryption (TLS).
The standards applied by QWAC are somewhat based on the CA/Browser Forum’s standard for Extended Validation (EV) certificates. EV implements high-assurance identity vetting procedures and is therefore considered to be the most distinguished form of assurance for consumers.
Payment Service Providers should buy QWAC certificates only from eIDAS - qualified Trust Service Providers. Before issuing the certificate, the TSP will confirm the applicant’s licence information with the National Competent Authority (NCA).
QWAC certification is required for all Member States of the European Union and has the potential to disrupt the payment services ecosystem by introducing an extra layer of security on top of all of those brought about by PSD2.
How do you get a PSD2 licence?
The revised Payment Services Directive is one of the most important legislative documents in the European finance industry, covering the ins and outs of online payments and financial account data security.
The document outlines the general principles of good practices in the modern financial industry. It also provides clarification about the requirements that have to be met in order to obtain a licence that allows companies to develop FinTech solutions and register as Account Information Service Providers (AISPs).
These requirements, as well as the PSD2 licence application as a whole, are very demanding. Besides the regular forms containing basic info (corporate name, website, address, etc.), there are a lot of other documents that are requested, including business plans and financial information.
PSD2 licence is obtained from the corresponding regulatory authority, usually the European Central Bank. This regulator can also be a local institution working in the name or under the ECB’s authority.
The first step towards getting a licence to operate in the open banking space is to get your company familiar with the requirements. The regulatory environment is ever-changing, so your team has to be ready to find solutions to meet the latest requirements.
It is very important that you always maintain close contact with your domestic regulator to discuss legislation and ask for help whenever it is needed.
PSD2 licensing process in 4 steps
Filling out the necessary forms
Meeting the regulators
Adjusting documents and forms according to notes and comments by the regulator
Once all doubts and questions have been answered, a licence should be issued
PSD2 licence cost and other requirements
The process of getting a PSD2 licence is challenging — to prepare every single document and be fully compliant with regulatory demands, there is a lot of preparation involved.
The total cost of a PSD2 licence isn’t fixed, as regulators often don’t charge a fee. However, legal advice, consultation fees and other related expenses can add up to a hefty sum.
Since we are talking about a very complex process, there are a lot of moving parts capable of influencing the end result. Obtaining the licence isn’t easy or cheap, but if you meet all the PSD2 licence requirements and draft a solid plan to develop and implement a service, you will most likely succeed without any major obstacles.
PSD2 licensing in Europe
If you know what a PSD2 licence is, you are probably aware that the verification process and the whole licensing procedure can take quite a while. This helps prevent issuing licences to unqualified organisations and works as an added security layer for consumers.
In the European Economic Area, PSD2 licence grants are dominated by the UK. In the European Union, countries like Germany, France, and the Netherlands are leading the pack, followed by the Baltic States and Nordic countries.
Current statistics on the number of licences issued in each EU and EEA country show that you can start a PISP, AISP or any other open banking-related business anywhere.
There are, nonetheless, a few countries where you can meet the most accommodating legislators and the ideal conditions for starting and developing such a business:
UK
Germany
France
Netherlands
Malta
Lithuania
Following this process, companies still have to implement the strategy and execute the business plan. Also, regulations may change after approval and licensing, which means that teams have to continuously be aware of their environment.
Here are the main challenges that you may face after your business is successfully licenced:
Security risk management framework
Anti-money laundering and financial terrorism (KYC)
Governance
Delegation of certain duties
PSD2 regulation: critical but challenging
There are some challenges to enforcing such a complex set of rules. Some of them occurred before, during, or even after the implementation and transition to PSD2.
Below, you will find how these challenges have an impact on every party involved, from the customer to the developers:
Customers: new and innovative technologies always face a certain degree of resistance. Besides, not all apps have a user-friendly interface, and sometimes users have different personal preferences from the ones who developed the platforms.
Legislators: the main challenge for them is to retain the perfect balance between the customers’ best interest and not disabling businesses’ drive for innovation. Regulations should be relevant without being too restrictive, always with personal data protection in mind.
Banks: legacy financial institutions face pressure from legislators and emerging competitors. They also need to work closely with developers in order to stay ahead of the curve, allowing them to improve their image and services portfolio.
Developers: APIs have to be developed with the customers’ needs in mind but must also comply with existing regulations. This fine line is not always easy to navigate, especially when the need to create user-friendly and faster software is essential.
PSD2 Fraud: identifying and reporting potential threats
While the majority of PSD2 changes are set to make the banking and finance industries more secure, they're also requiring financial institutions to open up their data and implement new technologies. Two things that might open the door for potential abuse.
The exchange of relevant information between legacy financial institutions and other service providers cannot happen without the risk of fraud.
To boost security and lower overall fraud risk in the financial industry, PSD2 upgrades the protection of consumers through Strong Customer Authentication (SCA). In addition to SCA, the revised Payment Services Directive also demands all payment service providers include an additional requirement known as dynamic linking. Dynamic linking connects each transaction to its value and its recipient.
Even though PSD2 sets advanced security requirements, there is always a possibility of fraud regarding digital transactions. For this reason, the rules also demand that all payment service providers continuously report fraud data on means of payments to their national regulatory authorities.
To address these risks as quickly and effectively as possible, banks should partner with experienced security providers and educate their customers on these changes and how they can affect them.
Open banking will only get more important as time goes on, so it is strongly advised that institutions incentivise their customers to keep their contact information up to date and make strong passwords mandatory.
Fraud monitoring: tools and mechanisms provided by the PSD2
To evaluate risk in real time and deal with potential abuse, regulators have introduced some tools and mechanisms that are designed to diminish the risk of fraud and improve consumer trust in online payments.
A fraud monitoring tool serves as a primary way of detecting and countering fraudulent activity. They are a part of the Regulatory Technical Standards and SCA — relating to mandatory mechanisms that enable Payment Service Providers (PSPs) to detect and prevent unauthorised or fraudulent payment transactions.
In the past, these tools used to be simple to control, but also introduced a few functions that required manual labour. As technology improved, however, fraud analysis became more complex yet agile and user-friendly.
Automated processes now make this type of assessment more dynamic and can combine multiple solutions simultaneously to create extensive fraud monitoring capabilities.
Transaction monitoring mechanisms in PSD2
Transaction monitoring mechanisms are a part of the process of analysing payment transactions, which have to meet regulations and requirements in order to successfully implement the authentication parameters.
There are minimum specifications that must be executed (but not limited to these five):
Investigation to determine whether there are any compromised or hijacked authentication components
Application and examination of established fraud scenarios
Screening process against malware in the device used for authentication
Divergences in the payment amount
If a Payment Service Provider (PSP) presents a device/software for authentication — devices/software analysis
Transaction monitoring vs transaction risk analysis
Transaction monitoring is often confused with transaction risk analysis. In the scope of PSD2, transaction monitoring embraces the aforementioned scrutiny and is a legally mandatory process to maintain SCA.
On the other hand, transaction risk analysis entails a comprehensive risk evaluation in real-time. Its scope is much broader than transaction monitoring, emphasising more risk aspects.
Fraud reporting: guidelines under the PSD2
The guidelines for fraud reporting in open banking were developed in collaboration with the European Central Bank and released by the European Banking Authority in July 2018 (article 96(6) of the PSD2).
These guidelines require payment service providers in the European Union (EU) and European Economic Area (EEA) to meet certain regulations regarding fraud reporting. The same is valid for the Member States’ competent authorities.
Payment service providers have to collect and provide statistical data on both valid and fraudulent transactions and do so by using consistent methodology, definitions, and data breakdowns. The collected information must then be reported to competent authorities.
After that, competent authorities have to deliver this data in an aggregated form to the European Central Bank and European Banking Authority. It is worth mentioning that competent authorities have to report data on fraudulent payments without ruling out any specific types of payment service providers.
However, payment service providers that can only access and consolidate information from different consumers‘ payment accounts are excluded from the PSD2 fraud reporting requirement since they cannot deliver any data on fraudulent transactions.
What is considered a fraudulent payment under the PSD2?
Guidelines on fraud reporting require payment service providers to deliver information not only on the number and amount of all payment transactions but also on the number and amount of fraudulent transactions made on an annual or semi-annual basis.
You can find below a description of fraudulent payments that may result in consumers’ loss of funds, personal information, or personal property:
Unauthorised payment transactions executed as a result of loss, theft, or misappropriation of payment information
Payment transactions resulting from manipulation of the payer when the fraudster scams and uses the payer to initiate a payment, or give instruction to issue a payment transfer by the financial services provider
The accuracy of the provided data is guaranteed by the fact that PSD2 requires payment service providers to report only those fraudulent transactions that have already been executed and resulted in a transfer of funds.
PSPs also have to exclude fraudulent transactions that were blocked before their execution due to suspicion of fraud and refrain from reporting fraudulent transactions made by the payment service user.
In order to comply with PSD2 fraud reporting requirements, financial service providers must adopt appropriate measures to be able to detect when payment service users are potentially being deceived by fraudsters.
How to report fraud under the PSD2
PSD2 guidelines for fraud reporting determine two categories of fraudulent transactions: unauthorised transactions and transactions resulting from the manipulation of the payer by the fraudster.
These categories must be further divided depending on the following features:
Type of payment services: money remittance services, payment initiation services, debit or credit card-based payment services.
Payment instrument: e-money or card.
Relevant reporting payment service provider: both the card issuer and the merchant (or third-party responsible for processing the transaction) can report any suspicion of fraudulent activities.
These categories can be further divided depending on the payment channel or authentication method, for example.
Also, guidelines for fraud reporting under PSD2 require payment service providers to deliver transaction data following the geographical breakdown. In other words, payment service providers must indicate whether the fraudulent transaction is one of the following:
Domestic transaction: when the payment initiation service provider and the account servicing payment service are located in the same country of the EEA.
Cross-border transaction within the EEA: when the payment initiation service provider and the account servicing payment service provider are located in different countries of the EEA.
Cross-border transaction outside the EEA: when the payment initiation service provider is from the EEA and the account servicing payment service provider is outside the EEA.
Finally, when carrying out fraud reporting under PSD2, PSPs should report separate losses due to fraud for the service provider, payment provider user (the payer), other institutions, and total losses for all parties affected by the fraudulent transactions.
To maintain compliance with the guidelines on reporting fraud under the PSD2, payment service providers must deliver statistical data on fraudulent transactions every six months.
The requirement to carry out fraud reporting on a semi-annual basis is exempted for small payment institutions and e-money institutions. These payment service providers have to provide data on fraud annually, with a semi-annual breakdown.
PSD2 insurance: Professional Indemnity Insurance (PII)
Both AISPs and PISPs must be able to meet their liabilities to consumers and banks resulting from the provision of their services. In order to cover potential liabilities, PSD2 demands that both AISPs and PISPs hold Professional Indemnity Insurance (PII).
The European Banking Authority issues guidance on what the PII must address to be suitable for third-party providers. AISPs have to hold insurance that covers any liabilities that may result from unauthorised or fraudulent access or use of a customer’s payment account information.
On the other hand, under PSD2, PISPs must guarantee the coverage of liabilities arising from unauthorised payment transactions, non-execution and defective or late execution of payment transactions.
The European Banking Authority provides a formula for calculating the minimum monetary amount of the PII, based on a few criteria:
Number of payment transactions authorised or payment accounts accessed
Range of business activities undertaken
Number of clients or amount of transactions in a given period
Professional Indemnity PSD2 Insurance is therefore crucial for both AISPs and PISPs, as it protects third parties against claims for alleged negligence or breach of duty that may arise from an act, error, or omission.
The PII does not, however, cover liability towards a third party who has suffered loss or expenses resulting from a cyberattack or theft.
With this in mind, it is important that AISPs and PISPs consider a broader insurance programme combined with the PII coverage that is provided by the revised Payment Services Directive.