PSD2 FAQ - Frequently Asked Questions - Nordigen

PSD2 FAQ — Frequently Asked Questions

| Article by: Abílio RodriguesProfile Image Abílio Rodrigues 5 min

PSD2 is a piece of EU (European Union) legislation that is intended to modernize banking, making it not only safer but also more transparent. This directive works as an additional layer of protection for individuals and businesses that do online transactions.

PSD2 is also seen as an additional step towards a digital single market in the EU, giving consumers better choices when it comes to financial services by allowing new players to gain access to the market. With this came more competitiveness, easier and quicker payments as well as tailored solutions that are able to cater to every particular need.

The Revised Payment Services Directive has three main benefits: increased consumer rights, improved security and permission for regulated third-parties to access payment account information.

The Revised Payment Services Directive was first introduced in 2016, but in order to allow for a transition period the transposition deadline in the EU and EEA (European Economic Area) was set to January 13th 2018.

Due to some technical difficulties, banks, merchants and other Fintech institutions were granted an extension for full implementation of PSD2 until the end of 2020. Businesses impacted by Covid-19 restrictions had their compliance deadlines extended to September 14th 2021.

Each Member State of the European Union can individually adopt PSD2 regulations, and have them implemented under their own laws. Under this new payment services directive, banks and other financial institutions are required to provide APIs (Application Programming Interfaces) for regulated and licenced external services providers, commonly referred to as third-party providers.

These regulated providers can then use APIs to offer an array of payment and information services, that can range from financial management apps to software developed for helping e-commerce with direct PSD2 payments.

The payment service providers rely on qualified certificates for electronic seals that can be obtained from a Qualified Trusted Service Provider. The QSEAL (Qualified Electronic Seal) certificates are used for identification verification purposes in order to protect transaction information.

On the other hand, QWACs (Qualified Website Certificates) are used for website authentication to ensure the identities of Account Servicing Payment Service Providers (ASPSPs) and third party providers (TPPs).

The Revised Payment Services Directive has several benefits for consumers:

  • Safer online transactions: PSD2 ensures that electronic payments are mediated by strong security requirements, such as Strong Customer Authentication (SCA), protecting consumers’ financial data and privacy. As a result, consumers should feel increasingly more confident when buying online;
  • More control over your financial data: the introduction of this new regulation allows for easier access to relevant data and a more integrated way of controlling things like spending and savings. It was also designed to give consumers a myriad of new services that help them better manage their assets in this new era of financial literacy;
  • Access to custom tailored products: individuals can have access to relevant products and services, allowing for greater personalization and the benefit of choice. This empower customers to take charge of their finances and make informed decisions regarding their present and future;
  • More consumer rights: consumer liability when it comes to unauthorised payments is reduced, with the addition of a “no questions asked” refund policy for direct debits in euro. Not only that, but PSD2 prohibits additional charges for payments with consumer debit or credit cards, both in shops and online. In case something goes wrong, complaints are to be handled by competent authorities designated by each Member State;
  • More competitive EU payments market: setting the pace for the future of online transactions, PSD2 embraces the evolution of virtual financial services by applying these new regulations in equal form to traditional banks and new players in the industry - namely FinTechs - which are now regulated under EU rules. This way, the third-party payment service providers (TPPs) can initiate payments on behalf of their customers, assuring retailers that their money is on the way;

By complying with PSD2, businesses can help end consumers in a number of ways and benefit from a relationship based on trust and mutual respect.

This can potentially pave the way to getting more customers, while at the same time making transactions more secure:

  • Faster and more effective decisions: by accessing relevant customer information, businesses can accelerate the decision making process, saving precious time and resources that can be channeled into profitability; 
  • More control over financial data: the Revised Payment Services Directive grants companies full control over their earnings and expenses, an invaluable tool for managing precious financial assets;
  • Improved customer experience: greater customer satisfaction will translate in a superior business volume and added revenue;

The introduction of PSD2 had some people look at traditional banks as being on the losing side of this regulation. This couldn’t be further from the truth, as banks have a lot to gain:

  • Keeping up with the times: by adopting the PSD2, banking institutions present themselves as more modern and appealing as they can then meet the ever-changing demands of today’s customers;
  • Customer centric approach: everything is done in a more secure and timely manner, leading to greater customer satisfaction and improved convenience for all interested parties;

Yes, Revised Payment Services Directive is mandatory in the European Union and European Economic Area. Businesses have two ways of complying with PSD2.

Companies can apply for a licence to become either an account information service provider (AISP) or payment initiation service provider (PISP). Both third-party solutions can securely access open banking data with the consent of consumers.

Businesses can also use services like AISPs or PISPs - since both are already authorised and responsible for following regulations - facilitating the outsourcing of these services.

Payment providers and banks are legally obliged to enforce PSD2, and non-compliance will result in the loss of transaction volume for sellers and payment providers.

Payment providers will suffer the most severe consequences, as national regulators have the power to impose fines and even revoke licenses.

PSD2 is mandatory in the EU and EEA, but there are some exemptions to Strong Customer Authentication (SCA) when certain criteria are met. These are the most common situations:

  • Low-risk transactions
  • Payments below €30
  • Fixed-amount subscriptions
  • Merchant-initiated transactions
  • Trusted beneficiaries
  • Phone sales
  • Corporate payments

PSD2 is an European Union directive to regulate payment services and payment service providers, requiring businesses and traditional banks to implement stronger fraud prevention checks like Strong Customer Authentication.

3DS2 was created by Visa and Mastercard in 2016 as a way to update 3DS regulations. It can be seen as a solution for SCA that complies with PSD2 requirements in Europe. Nevertheless, it can also be used outside EU space for customer authentication, diminishing the risk of fraud.

This secure protocol demands that sellers send complementary data with every transaction, in order to guarantee that the customer is the legitimate cardholder.

In sum, this improved authentication system helps merchants to comply with Strong Customer Authentication requirements under the Revised Payment Services Directive.

For a long period of time, incumbent banking institutions had a monopoly on payment services. Moreover, before the implementation of PSD2, banks had to authorise payments for account holders.

With the Revised Payment Services Directive, the playing field has been levelled when it comes to the payment services market, creating new opportunities for third-party service providers to come up with new online payment products. 

Traditional banks are now also forced to be more transparent in their operations - like credit or currency exchange rates, for example - allowing for a more trustworthy relationship.

Since the Revised Payment Services Directive is a EU driven initiative, there were some doubts about whether the United Kingdom had to comply after Brexit. 

PSD2 relates to the EEA (European Economic Area) and is not limited to the EU (European Union), which means most banks are planning for some form of EEA relationship with the UK. This new directive is paramount to interaction and success in EU markets, leading to a demand from banking experts to keep up with global PSD2 banking innovation. 

Therefore, PSD2 was adopted in the UK by the Payment Services Regulations.

The Revised Payment Services Directive does not apply in the United States, being enforced exclusively in Europe. However, US companies doing business in the EU have to comply with PSD2 regulations.

PSD2 has the potential to change the payments industry landscape at a global level, so it is vital that US companies pay attention to its evolution.

It is up to each European Union Member State to determine a National Competent Authority responsible for issuing account information service provider (AISP) licences and monitor their activity. Visit our webpage to find out which entity is responsible in your country.

In the UK, PSD2 is enforced by the Financial Conduct Authority (FCA), the regulator of financial firms and markets in the United Kingdom. FCA is responsible for the determination of which third party provider (TPP) can be authorised or registered, as well as for the monitoring of TPPs reporting obligations under PSD2. All complaints towards a third party provider are also handled by the FCA.


Recommended articles