PSD2 Explained


In the wake of 2021, a banking landscape-changing directive was enforced in the EU under the name of Payment Service Directive 2 (PSD2). This new law aims to create a competitive payment sector field by curbing the monopoly banks had over customer financial data. This directive also further develops an efficient single European payment market with the tracks laid out by its predecessor Payment Service Directive (PSD1).

Furthermore, PSD2 brings new and enhanced security features, otherwise called Strong Customer Authentication (SCA), for the consumers using digital transactions and online banking in the EU. However, lawmakers and persons of interest reportedly failed to present the new changes to the broader public, with it going almost unnoticed by the consumers. Therefore, to have the PSD2 directive explained, this text will provide both a Payment Service Directive summary and its deeper analysis.


Predecessor to PSD2

In 2007 PSD1 was adopted within the EU and EEA member states laying down a framework for an EU single euro payment market (SEPA). This directive brought many benefits to the economy of the EU and its consumers alike. It allowed non-bank companies to carry out transactions, introducing a new industry category named Payment Service Providers (PSPs). Therefore, more choices appeared for the consumers, and competition had increased within the payment market.

Additionally, transparency by the banks and PSPs were improved under PSD1 because of requirements to announce services, fees, and exchange rates with which they operate. Moreover, it became easier and more secure to initiate cross-border payments within member states for consumers and businesses. The new directive PSD2 was built on all of these objectives and expanded them even further.


PSD2 for dummies

With the rapid evolution of IT technologies and innovations made by banks, PSPs, and FinTech companies, part of PSD1 regulation became outdated within a decade. The old directive did not cover many new services and innovations, therefore calls for an updated rulebook took place within the EU regulatory organs. Notably, one of the focus points was data security and confidentiality as rapid digitalization took place with a growing number of transactions completed online. While under PSD1, a low level of authentication for digital transactions or access to bank accounts was acceptable, PSD2 introduced more robust authentication requirements for such actions.

Before explaining the technical aspects of the new directive, we will first cover a short PSD2 summary of its aims. The key objectives of the new directive are to furthermore improve competitiveness within the payment market of the EU, open up the banks‘ customer data to Third Party Providers (TPPs), and strengthen the security of consumers’ data. PSD2 notably expands the reach of PSD1. The rules of the first directive only applied to the PSPs interacting within the EEA member states. With PSD2, any PSP in any country interacting with another PSP from the EU will have to abide by the PSD2 rules to be allowed to complete their operations into or from the European Union.


The impact of PSD2

To have the PSD2 directive explained in full, we will also cover its in-depth impact on the banking and payment sectors. With the new directive, TPPs include two new regulated service providers, namely Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). These providers are made possible due to the requirement of banks to open their customer data and share it with companies that customers consent to through banks‘ Advanced Programming Interface (API)

Companies with licenses acting as AISP can ask for permission to customer‘s bank account data to provide a service. They are authorized to „read-only“ access to the user‘s account data through the API. It means they can see but not move customer‘s funds. On the other hand, PISPs can initiate a request to the bank‘s API to initiate a payment on a customer‘s behalf from their bank account.

The security improvement for consumers mentioned in the PSD2 for dummies section mainly comes with the introduction of SCA requirements for digital transactions and financial account access. The European Banking Authority (EBA) defines SCA as an „authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent”. For example, such knowledge could be the customer’s account password, possession could be the customer’s phone, and inherence could be the customer’s fingerprint. At least 2 out of 3 requirements must be checked to abide by the SCA. However, there are exemptions when SCA is not required: low-risk transactions, transactions below 30 euros, recurring payments such as subscriptions, payments to whitelisted (by the customer) businesses, corporate payments, merchant-initiated transactions, and phone sales.


PSD2 summary – the timeline of the main events

The path of PSD2 to come into effect was quite a complicated one. The need for it was recognized as early as 2013, and while it was supposed to go into effect on the 14th of September 2019, EBA decided to delay its deadline to the 31st of December 2020. Payment Service Directive summary can be outlined with the following key facts.

In 2013 July, the need for PSD2 was emphasized due to PSD1 being developed before the widespread adoption of smartphones. The European Commission introduced the PSD2 proposal.

In 2016 January, the EU member states agreed to adopt PSD2 into their national laws by January 2018. The first stage and process of forming an EU-wide open banking regulatory framework began.

In 2017 June, the Berlin Group announced it had created a harmonized European API standard to enable TPPs access to bank accounts under the requirements of PSD2.

In 2017 November, the European Commission announced technical, regulatory standards, which are now known as SCA.

In 2018 January, All EU member states passed PSD2 domestic regulations, setting a deadline to complete SCA compliance solutions.

On the 31st of December 2020, PSD2 was finally enacted with the reaching of the final deadline for PSD2 compliance. It is now the law governing e-commerce in the EU and EEA member states.


PSD2 compliance requirements

To have PSD2 explained fully, it has to be noted that PSD2 applies to all the transactions in or out of EU and EEA member nations. The primary focus for compliance being EU and EEA Banks and PSPs. However, unlike with PSD1, with PSD2 in force, companies registered outside the EU but with customers or business units within EU jurisdiction may be subject to the requirements if they wish to continue their financial operations in the European Union. 

Banks that wish to continue their operations and companies that want to become TPPs or provide e-commerce services will have to comply with multiple requirements under PSD2. The main technical requirement for compliance with PSD2 is an open API banks must provide. Such an API must allow access to TPPs for the customer‘s account data they consent to share with the provider. The other core aspect of PSD2 compliance is utilizing SCA. This requirement applies not only to banks but also to other financial sector players that work with digital transactions or financial accounts, such as TPPs or e-commerce shops.

The new directive also obliges PSPs to find a resolution to complaints in a timely manner. Recent regulation has a framework that describes how to report incidents to EU regulatory bodies, customers, and relevant law enforcement units in a criminal breach event.

PSD2 also bans surcharges in some instances. Food and travel, ticketing, and delivery websites can no longer apply additional fees for the customer paying with a credit or debit card. It applies to both business-to-customer (B2C) and business-to-business (B2B) instances. It is also important to note that even if the payment falls out of the scope of the surcharge ban, the fee cannot exceed the cost incurred by the merchant accepting a particular payment method.

Finally, companies are now required to provide more transparency. They are obliged to provide currency conversion rates used in transactions. Additionally, the terms and conditions section the user has to agree with to interact with the company should be more customer-friendly and easy to understand.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.