PSD2 regulation: understanding the rules

| Article by: Abílio RodriguesProfile Image Abílio Rodrigues 12 min

Although the Revised Payment Services Directive (PSD2) was implemented between January 2018 and September 2019, its origins date back to 2007. In that year, the European Commission (EC) created the original payment services directive, in an effort to implement a digital single market for all its member states.

Advances in technology and the emergence of new conceptual business models were responsible for a variety of new financial products and services, furthering the need for an amendment to the original directive.

But, what is PSD2 in simple terms? This legislation was designed to:

  • improve customer protection
  • boost competition
  • increase security for all transactions in the European Economic Area (EEA) payments market

This new set of rules and regulations faced a few drawbacks, which meant that although the first draft was presented in 2013, full implementation began only in January 2018. After reaching the milestone of authentication and third-party access requirements in September 2019, the final deadline was set to December 31, 2020.

In order to avoid a possible negative effect of the second payment services directive on e-commerce, the European Banking Authority (EBA) established this transition period for financial institutions to become PSD2 compliant.

Revised Payment Services Directive legislation in the EU

The second Payment Services Directive has had a widespread effect not only on the whole financial market but in the daily life of every consumer in the EEA.

Mostly focused on Payment Initiation and Account Information services, both essential to the world of e-commerce and digital finance, the PSD2 demands for better data security and transaction transparency.

There are a few basic concepts that can help us better understand open banking and the way it's intended to be implemented. They refer to the parties involved in this process, as well to mechanisms that manage their interactions.

The role of AIS and PIS on open banking

Account Information Services (AIS)

First of all, we have the Account Information Services (AIS), focused on aggregating personal financial information. Storing all this data in one unified place helps simplify tasks like budgeting, expense tracking or suggestions on how to save money.

Payment Initiation Service Providers (PISP)

On the opposite side of the spectrum, Payment Initiation Service Providers (PISP) are primarily focused on the facilitation of monetary transactions in the digital space (online and electronic payments).

To ensure the security and transparency of all purchases, financial companies and merchants have to authenticate the author of the transaction and their consent to purchase. Consent and identity are usually verified via third-party PIS, creating a bridge between the merchant and the client’s bank account, allowing for a seamless operation.

Third-party providers have to comply with strict requirements on how transactions can be authorised. These regulations are often described as a limitation to innovation, but are paramount to ensure that open banking remains safe.

Strong Customer Authentication (SCA) is arguably the most important regulation regarding PSD2. It defines the conditions that need to be met in order for payments to be authorised.

​​To comply with the strong customer authentication requirements, payment providers need to confirm customer identity through at least two independent pieces of information. These pieces of information can be organised in three categories:

  • Something they own (e.g., smartphone)
  • Something they know (e.g., PIN code)
  • Something they are (e.g., fingerprint)

For a transaction to be confirmed and accepted, at least two of the previous conditions must be fulfilled.

PSD2 legislation in the UK

European Union x United Kingdom - Open banking

The second Payment Services Directive is a very significant part of the ongoing banking revolution in the United Kingdom, even after Brexit. Whenever local legislators try to push for innovation and promote initiatives in the financial sector, this regulation is always strongly considered.

The main regulator in the UK is the Competition and Markets Authority (CMA). This institution is responsible for monitoring and implementing the PSD2 and related regulations.

Most of the goals of the UK’s and EU’s governments are the same, with both focusing on a competitive market for digital payments that's safer and more efficient.

The United Kingdom is one of the main open banking “players” in Europe

The UK, as the global leader in open banking innovation, has shown initiative to remain at the helm, not only from a business standpoint but also from a regulatory standpoint. There are, however, more documents of equal significance to the PSD2 in the United Kingdom, whereas in other EEA countries it’s mostly a standalone regulation.

Even so, just like with the PSD2, UK’s own regulations require banks to share relevant information with third-party providers (TPPs) through Application Programming Interfaces (APIs). Another convergence point is, of course, a relentless focus on personal data protection.

PSD2 and GDPR: how do they work together?

The General Data Protection Regulation (GDPR) came into effect at about the same time as the PSD2, more exactly on May 25th, 2018. The financial industry has been struggling, ever since, with questions about the interplay between these two regulatory measures.

Both the GDPR and the PSD2 provide a statutory and regulatory framework for PSPs offering payment services in the EU or EEA. Together, they stipulate the basic principles for data protection and transparency, while also ensuring the successful operation of businesses.

In short, the PSD2 has the ultimate goal of opening financial data, whilst the GDPR aims to protect and secure consumer personal data. This allows end users to better understand and control the information flow and the purpose of its usage.

The main point of convergence between the two sets of regulations is the emphasis on individual consent.

Example on how PSD2 and GDPR work in perfect sync

For instance, if a customer requires to share their Personally Identifiable Information (PII) with a third-party, the PSD2 forces TPPs to share that information. On the other hand, if a customer wishes to have their PII deleted, the GDPR obliges them to abide by this request. is also the question of penalties for not complying with the legislation mentioned above. Failure to comply with the PSD2 and GDPR can lead to hefty fines.

PSD2 x GDPR - Open banking

When the rules of GDPR are breached, fines can go up to €20M, or 4% of global turnover. This percentage might seem insignificant, but we have to keep in mind that some multinational companies have billions of euros in revenue per year.

PSD2 fines can be less brutal, and depend solely upon the Member States and their penalty definitions - possibly resulting in a fine free policy in some circumstances.

Financial institutions should, nevertheless, define a clear path of action in order to become compliant with both regulations. Doing so will also allow them to avoid any conflicts between PSD2 and GDPR, and consequently impede innovation.

Important points of action that companies should take into consideration

  • Precise automated decisions: ensure that there is no profiling, as GDPR prohibits it. Moreover, be prepared to justify any automated action in case of consumer inquiries;
  • Oversee Data Protection Impact Assessment (DPIA);
  • Ensure that new services have an integrated data protection protocol;
  • Be assured that it is possible to delete all consumer data on request;

Taking into account all of the information above, PSD2 and GDPR can very much work in harmony and enable PSPs to safeguard consumer personal data, while at the same time seizing new growth opportunities.

PSD2 QWAC: a certificate to rule them all

QWAC is an abbreviation for Qualified Website Authentication Certificate, a digital token that pertains to the characterisation of trusted services, defined in the Electronic Identification And Trust Services (eIDAS Regulation).

According to the eIDAS Regulation, trust services are usually delivered by Trust Service Providers (TSPs). This includes, but is not limited to:

  • Electronic signatures
  • Various seals
  • Time stamps
  • Website authentication data
  • Delivery services

QWACs are employed to guarantee proper authentication between a website and a legally obliged entity. If a website displays a QWAC, this signals that it is legitimate.

This Qualified Website Authentication Certificate ensures sensitive data encryption and the identification of PSPs or other financial institutions, as well as their compliance with the PSD2 rules.

According to the PSD2 Regulatory Technical Standards (RTS), QWAC certificates are used to support the PSP’s identity and secure communication paths.

As it was mentioned above, the Qualified Website Authentication Certificates are utilised in two ways - verification of the involved parties and affirmation of the use of Transport Layer Security Encryption (TLS).

The standards applied by QWAC are somewhat based on the CA/Browser Forum’s standard for Extended Validation certificates (EV). The EV implements high assurance identity vetting procedures, and therefore is considered to be the most distinguished form of assurance for consumers. 

Payment Service Providers should buy QWAC certificates only from eIDAS - qualified Trust Service Providers. Before issuing the certificate, the TSP will confirm the applicant’s licence information with the National Competent Authority (NCA).

QWAC certification is required for all Member States of the European Union, and has the potential to disrupt the payment services ecosystem by introducing an extra layer of security on top of all of those brought about by the PSD2.

PSD2 regulation: critical but challenging

There are, however, some challenges to enforcing such a complex set of rules. Some of them occurred before, during, or even after the implementation and transition to PSD2.

Below, you will find how these challenges have an impact on every party involved, from the customer to the developers:

  • Customers:new and innovative technologies always face a certain degree of resistance. Besides, not all apps have a user-friendly interface, and sometimes users have different personal preferences from the ones who developed the platforms;
  • Legislators: the main challenge for them is to retain the perfect balance between the customers’ best interest and not disabling businesses’ drive for innovation. Regulations should be relevant without being too restrictive, always with personal data protection in mind;
  • Banks: legacy financial institutions face pressure from legislators and emerging competitors. They also need to work closely with developers in order to stay ahead of the curve, allowing them to improve their image and services portfolio;
  • Developers: APIs have to be developed with the customers’ needs in mind, but must also comply with existing regulations. This fine line is not always easy to navigate, especially when the need to create user-friendly and faster software is essential;

How do you get a PSD2 licence?

PSD2 licence challenges

The second payment services directive is one of the most important legislative documents in the European finance industry, covering the ins and outs of online payments and financial account data security.

This important document outlines the general principles of good practices in the modern financial industry. Moreover, it also provides clarification about the requirements that have to be met in order to obtain a licence that allows companies to develop Fintech solutions and register as Account Information Service Providers (AISPs).

These requirements, as well as the PSD2 licence application as a whole, are very demanding. Besides the regular forms containing basic info (corporate name, websites, address), there are a lot of other documents that are requested, including business plans and financial information.

The PSD2 licence is obtained from the corresponding regulatory authority, usually the European Central Bank. This regulator can also be a local institution, working in the name or under the ECB’s authority.

The first step towards getting a licence to operate in the open banking space is to get your company familiar with the requirements. The regulatory environment is very much alive and ever-changing, so your team has to be ready to find solutions to meet the latest requirements.

It is very important that you always maintain close contact with your domestic regulator, in order to discuss legislation and ask for help whenever it is needed.

Licensing process in 4 steps

  1. Filling out the necessary forms
  2. Meeting the regulators
  3. Adjusting documents and forms according to notes and comments by the regulator
  4. Once all doubts and questions have been answered, licence should be issued

PSD2 licence cost and other requirements

The process of getting a PSD2 licence is very challenging and can prove to be quite difficult. In order to prepare every single document and be fully compliant with regulatory demands, there is a lot of preparation involved.

The total PSD2 licence cost isn’t a fixed amount, as regulators don’t usually charge anything. However, legal matters, consultation fees and other related expenses can amount to hefty sums of money. Estimates may vary, and depending on the country you might be looking at at least €50,000 to even hit the ground running.

For most European countries, the PSD2 licence cost exceeds six figures, and it’s estimated to be over a quarter of a million euros.

This amount does not include the necessary starting capital that a lot of regulators demand. Depending on your organisation type, getting the payment services directive licence can add up to 2 million euros in starting capital.

Since we are talking about a very complex endeavour, there are a lot of moving parts capable of influencing the end result. Obtaining the licence isn’t easy nor cheap, but if you meet all the PSD2 licence requirements and draft a solid plan to develop and implement a service, you will most likely succeed without any major obstacles.

PSD2 licensing in Europe

If you know what a PSD2 licence is, you are probably aware that the verification process and the whole licensing procedure takes quite a while. This helps prevent issuing licences to unqualified organisations and works as an added security layer for consumers.

In the European Economic Area, PSD2 licence grants are dominated by the UK. In the European Union, countries like Germany, France and the Netherlands are leading the pack, followed by the Baltic States and Nordic countries.

The current statistics about the number of issued licences in each individual EU and EEA country shows that you can start a PISP, AISP or any other open banking-related business anywhere.

There are, nonetheless, a few countries where you can meet the most appealing legislators and the best conditions for starting and developing such a business:

  • UK
  • Germany
  • France
  • Netherlands
  • Malta
  • Lithuania

If you think that all the work is done after getting that coveted licence, you may want to think again.

After this process, companies still have to implement the strategy and execute the business plan. Also, regulations might change after approval and licensing, which means that teams have to continuously be aware of their environment.

Here are the main challenges that you may have to face after your business is successfully licenced:

  • Security risk management framework
  • Anti-money laundering and financial terrorism (KYC)
  • Governance
  • Delegation of certain duties

Nordigen’s free API and PSD2

Nordigen CEO - Rolands Mesters

As an authorised AISP regulated by the Financial and Capital Market Commission of Latvia, and authorised in 31 European countries, Nordigen is the first (and only) AISP to make its API totally free to use.

Access to open banking data in Europe is free, and Nordigen believes that it should be free for everyone. With that in mind, we offer free access to personal and business banking data using only PSD2-compliant connections.

Nordigen’s free API connects to more than 1,000 banks in Europe, helping FinTech companies develop new services and technologies. The raw data obtained from said API might be overwhelming for business use, which is why Nordigen developed a set of premium services, including:

  • Transaction Categorisation
  • Income Insights
  • Loan Insights
  • Risk Insights
  • Simple Score
  • Credit Scores
  • Library with up to 1 million Machine Learning features
Recommended articles