PSD2 Legislation

In the world of finance and digital payments, there is arguably no one more influential and internationally recognized as well as powerful document as the 2nd Payment Services Directive or PSD2. In the European Economic Area (EEA), PSD2 dictates how digital transactions must be done. The ultimate goal is to make finance on the digital scene safer and better for its users. The legislation mostly focuses on the security and transparency of payments as well as the importance of Application Program Interfaces, better known as APIs.

PSD2 Legislation History

Even though the second PSD came into effect in the early days of 2018, the foundation for this directive was set over a decade prior. The first Payment Service providers directive, appropriately abbreviated and best known as just PSD, was released in 2007. At the very early stages of the tech boom that we’re in now, the European Union took a pioneering approach that sought to find ways to enable digital finance service providers and fintech companies to open up and possibly even revolutionize the finance sector. The ultimate goal was to establish a sing unified payment ecosystem for the European Union. This should make transactions quicker, cheaper and promote innovation as well as make financial services more accessible and personalized to the needs of the customers.

With rapid advancements in tech and the emergence of new conceptual business models, EU legislators decided to revise the existing PSD requirements, which were slowly but surely becoming outdated. Back in 2013, amendments were proposed to the original directive. These amendments were to focus on the technological aspects of the directive with a huge emphasis on the security of personal data. After passing all the legal barriers, the revised and modernized PSD2 became enforced in 2018-2019, with all member states of the EU and the EEA slowly but surely adopting and implementing it domestically.

It’s worth noting that the world’s leading innovator in open banking – the United Kingdom has adapted their own Open Banking acts and directives, developed in close relation to the EU’s 2nd payment services directive.

The current PSD2 legislation is made public. The institutions responsible for licensing and monitoring the compliance situations are delegated by local governments and the ECB. It can be the National bank, a market authority, or a government-contracted private entity. It varies from country to country.

PSD2 Legislation in the UK

Just as with the rest of EEA, PSD2 is a significant part of the ongoing banking evolution in the United Kingdom. It is strongly considered and always in play when the local legislators are trying to push for innovation and promote initiatives in the finance sector.

However, in the United Kingdom, there are more documents of equal significance with the PSD2, whereas in other countries it’s mostly a standalone regulation. Much of the goals of the UK’s and EU’s governments are the same, nonetheless, both focus on making a competitive market for digital payments that’s both safe and efficient. The UK, as the global leader in open banking innovation, shows true initiative to remain in the lead both from a business and from a regulatory standpoint.

In the United Kingdom, the Competition and Markets Authority is the main regulator, responsible for monitoring and implementing PSD2 and related regulations. Just as with PSD2, the UK’s own regulations require banks to share relevant information through APIs. The main priority will remain personal data protection.

All About PSD2 Rules & Regulations in the EEA

The second directive has had a widespread effect on the whole financial market and the daily life of probably every single consumer within the EEA. PSD2 legislation is mostly focused on having the banks make their databases accessible to licensed TPPs (Third Party Payment Service Providers). In the past, the banks were the only ones with lots of information and thus, were in firm control of the financial market. With the introduction of the directive, the European legislators sought to open things up in order to bring more innovation and prevent big banks from forming monopolies.

PSD2 legislation is heavily focused on Payment initiation and Account information services. Both of these are very essential to the world of eCommerce and digital finance. With so much information and data being exchanged via payments and applications each day, data security and transaction transparency are of utmost importance. AIS or Account information services are focused on the storage as well as sharing of personal financial information about a client. AIS can focus on storing all of the client’s information (financial) in one place, simplifying budgeting, tracking expenses, and seeing suggestions for saving.

On the other end of the spectrum, you have PIS or payment initiation services. As the acronym suggests, these are focused on the facilitation of monetary transactions in the digital space (making payments online). To ensure security and transparency of purchases and transactions, financial companies and merchants have to authenticate the author of the transaction and their consent to purchase. Consent and identity are confirmed (usually) via TP PIS (Third Party Payment Initiation Service). It creates a sort of bridge between the merchant and the client’s bank account, allowing for a seamless transfer of funds. There are strict requirements on how transactions can be authorized and thus, TPPs have to obey these requirements which limits their room for innovation.

SCA or Strong Customer Authentication is arguably the most important part of PSD2. It defines the conditions which need to be met in order to authorize payments. These security requirements are the major difficulty when new companies want to become compliant and PSD2-licensed. The EU requires enabling verification/authentication via 3 criteria (called authentication factors). The SCA is just another term for MFA or 2FA, actually.

All of these factors are of equal value, interlinked but not directly affected, meaning that one can be compromised but the two remaining ones can still be used. In order for the payment to be authorized, a customer has to be authorized via possession, inheritance, and knowledge.

·        Possession – something that a person can own, usually referring to a device (hence, a code generator or more often – a smartphone)

·        Inheritance – something that a person is, referring to their biological identity (fingerprint, voice, face, etc.)

·        Knowledge – something that a person has the knowledge of (passcode, password, key, etc.).

In order to authorize the payment, PISPs and the AISPs have to get verification via two out of three factors. Just writing down the numbers on your credit card isn’t enough anymore.

Challenges of Enforcing Legislation

The primary challenges occurred before, during, and just after the implementation of and the transition to the PSD2 rules. Right now, even before getting into things, businesses are aware of the authorization that they need to get and the security measures that they seek to implement.

However, with that being said, there are still plenty of challenges for everyone – the customers, the legislators, the banks, and the developers of payment services.

For the customers, the challenge is to adopt new and innovative technology. Not all apps are user-friendly. Sometimes their personal preferences are just different from what their financial service providers are able to offer. Furthermore, if they are using code generators or special password cards, remembering the various codes and login information can be a burden. Inheritance-based authentication is usually preferred for customers.

The challenges for legislators revolve around retaining the perfect balance between customers’ best interest and not disabling the drive for innovation by businesses. They have to find ways to keep regulations relevant without becoming too restricting and seek options for even more airtight personal data protection.

Banks, on the other hand, face pressure from the legislators and from small, emerging competitors offering financial services. They need to work closely with developers in order to win the technological battle against growing startups and stay ahead of the curve. This will allow them to improve their image whilst offering better products and/or services.

Finally, from the perspective of developers, it’s constant maneuvering between existing regulations and the needs of customers. By finding ways to create more user-friendly and faster software, they are able to get exclusive partnerships with financial companies and expand their business.

Concluding thoughts

If you want to know whether a person or a company, you’re doing business with is authorized and licensed with a PSD2 certificate, you need to check your local register for open banking and related service providers. These lists are usually compiled by the governing bodies, responsible for licensing payment service providers.

And to sum up, PSD2 legislation is not going away anytime soon. For the time being it remains the most important document in the sphere of digital payments. By seeking to open up more opportunities to users, it has kickstarted evolution in the banking sector which should lead to more accessible and overall, more customer-oriented financial services.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.