PSD2 is the principal European regulation for electronic payment services. It is the second iteration of the Payment Service Providers Directive created in 2007 and the main differences to the first one are:
- Consumer protection and security in the payments market
- Boost competition, innovation and expedite the development of new payment methods
These two changes immediately affect customer authentication processes and third-party access to consumer accounts. To increase consumer protection, the regulation mandates stronger requirements for online transactions, introducing initiatives such as multifactor authentication (MFA).
On the competition and innovation front, the use of application programming interfaces (APIs) opens up the floodgates of access to information by third-party providers. Given customer consent, Third-Party Payment Services Providers (TPPs) can access information and build new payment solutions.
The European Banking Authority (EBA) established an industry working group on Application Programming Interfaces to identify roadblocks and challenges that emerged as the industry was gearing up to adopt the new regulation.
Now, let’s do some housekeeping and define a few terms that are frequently used in the PSD2 regulation. Two new types of TPP’s have been defined:
What are Payment Initiation Services Providers (PISP)?
Payment Initiation Services (PIS) is what we know as online payments. It’s the process of inserting our banking credentials to complete a purchase. What’s the relationship between PIS and PSD2, you might ask?
Although payment initiation services already existed before the PSD2 Directive came into full effect, the directive has opened up the competition playing field. Banks are obliged to open their customers’ data up to third parties, upon customer request, meaning PIS can be utilized by more market participants.
These new players act as intermediaries between financial institutions and merchants and allow the issuance of direct transfers given that authorization by customers has been granted. Payment Initiation Service Providers (PISP) initiate payment transactions at the request of the consumer from an account held by the consumer at another payment service provider.
What are Account Information Services Providers (AISP)?
Account Information Services (AIS) are one of PSD2’s foundational pieces, enabling businesses and consumers to share their data with third-party providers. AIS is primarily used for dissecting, analysing, and exploring data sets such as transactions, balances, direct debits, and standing orders, to provide valuable and actionable financial insights.
Account Information Service Providers (AISP) offer online services which can provide a consolidated view of a consumer’s payment accounts.
How are APIs important for the enforcement of PSD2? What’s their purpose?
Application programming interfaces (APIs) allow users to exchange data in a secure and controlled environment, which is one of the core pillars of the PSD2. Apart from the obvious functionality of transferring data and enabling the sharing of payment account information between third-party providers, it can also be a new way to create new revenue streams.
It opens doors for options like integrations, payments gateways, reports, and more.
PSD2 regulation Timeline
The PSD regulation dates back to 2007, and what started as a proposal is nowadays the law governing e-commerce in Europe.
- November 2007: The Payment Service Providers Directive (PSD), came into place seeking to create a single payment market in the European Union to promote innovation, competition, and efficiency in the EU.
- July 2013: The European Commission publishes its proposal to create the second PSD.
- October 2015: The European Parliament approves the European Commission's proposal to create a new directive regarding safer and more innovative payment services.
- November 2015: The European Parliament agrees to adopt PSD2 and obligates all member states to incorporate the new directive into national regulations by January 2018.
- December 2015: The final version is published in the Official Journal of the European Union.
- January 2016: PSD2 comes into force, and member states begin the implementation of the new directive into their national laws.
- August to October 2016: The European Banking Authority consults on the preliminary version of Regulatory Technical Standards, also known as RTS, regarding strong customer authentication and secure and common communications, or so-called SCA & CSA.
- February 2017: The European Banking Authority finalizes and publishes the preliminary version of RTS - SCA & CSA.
- December 2017: The European Commission approves and adopts the final version of RTS on strong customer authentication and secure and common communications.
- Throughout 2017: The European Banking Authority finalizes other guidelines required to fully implement PSD2.
- January 2018: PSD2 applies to all member states of the EU.
- March 2018: The final version of RTS on SCA & CSA is published in the Official Journal of the European Union.
- September 2019: PSD2 goes into full effect as a definitive version of RTS on strong customer authentication, and secure and common communications finally came into force. However, due to delays in technical requirements, the European Banking Authority extends the deadline for PSD2 compliance to December 31, 2020.
- December 31, 2020: PSD2 officially becomes the law governing e-commerce in Europe. All state members fully comply with PSD2, except the Brexit-bound UK delays PSD2 compliance until March 2021 for online banking and September 2021 for online shopping.
- September 2021: The UK's Financial Conduct Authority extends the deadline for full SCA compliance regarding e-commerce transactions until March 2022.
Who is affected by the PSD2, and why should you care?
We know what PSD2 is, what’s the goal and thinking behind it, but the real question is how are banks, businesses, and consumers affected by it? Let’s have a quick look:
PSD2 essentially asked banks to open their payment interfaces to external service providers and share all information that was previously exclusive to them. Viewing your bank account balance is no longer a banking prerogative.
While that might seem like a negative, the industry disruption is something banks can benefit from. First and foremost, it gives them the opportunity to create new revenue streams by introducing new products and services.
What’s more, banks can become information centres and trusted advisors to people who want to explore the new open banking reality. As long as banks embrace the changes proposed by the directive, they have the same opportunities as any other financial provider on the market.
Consumers are the obvious winner of the PSD2 introduction.
- Their online transactions are becoming safer, and more streamlined
- They have access to features that can improve their spending, budgeting, and investing habits
- Integrating services that make life easier, e.g., a loan provider can instantly assess your loan suitability without the manual hassle of retrieving docs and data
Consumers have more tools, features and help to improve their financial literacy and management. Everything they need to transfer, save or invest their funds is in the palm of their hand on an app that does not require the help of a banking employee.
For more information on PSD2’s main benefits for consumers and businesses, you can visit our PSD2 – (FAQ) Frequently Asked Questions.
Are there any PSD2 exemptions?
PSD2 specifies some exemptions to the application of strong customer authentication (SCA) in certain situations:
- Low-risk transactions
- Payments below €30
- Fixed-amount subscriptions
- Merchant-initiated transactions
- Trusted beneficiaries
- Phone sales
- Corporate payments
You can explore each exemption in more detail in our dedicated page to strong customer authentication.