PSD2 history and timeline
The revised payment services directive (PSD2) entered into force between January 2018 and September 2019, but its history starts much earlier. In 2007, the European Union (EU) created the original payment services directive with the goal of implementing a single payment market for all member countries, promoting innovation, competition, and efficiency throughout the EU.
Due to great advances in technology that led to the development of a variety of new services, in 2007 the European Commission felt the need to propose an amendment to the original directive. This amendment is the origin of the current PSD2 regulation, which improves customer protection, boosts competition, innovation, and increases security in the payments market.
With numerous delays in the development of the new directive, PSD2 began gradually entering into force in January 2018. After reaching the milestone of authentication and third-party access requirements in September 2019, the final deadline was set to December 31, 2020.
The implementation of PSD2 could have had a negative impact on ecommerce, so with that in mind the European Banking Authority (EBA) established this transition period for financial institutions to become PSD2-compliant.
PSD2 and open banking
PSD2 is a directive that was designed to better respond to new needs from customers and new technologies, more specifically - to access their banking information outside their bank infrastructure. By allowing customers to share information with third-party providers, the variety of offers and services has grown immensely recently.
The regulations introduced with PSD2 strongly influenced the way open banking works by working toward eradicating the use of screen-scraping. This is a method where access to financial data is attained by a third-party provider using customer login details, which opens the door for a considerable list of vulnerabilities.
With the implementation of the PSD2 regulation and some additional standards (e.g., the Regulatory Technical Standards) as a base-line for the use of open banking, customers can be assured that as long as they connect through authorised third-party providers, their safety is guaranteed.
What is open banking
Open banking is an initiative that allows customers to make their financial data available to third-party providers with the use of an application programming interface (API). Alongside implementation of the PSD2 directive, banks were forced to develop their own APIs to facilitate access to their customers' financial information in a secure and private manner.
This financial data can be used by many fintech companies to maximize the services available to their customers. Two of the main uses of open banking are apps that aggregate banking data from different banks into a unique platform, and businesses involved in lending/credit.
PSD2 regulation in Europe
PSD2 is European Union legislation that regulates how open banking is applied in all member states of the European Economic Area (EEA). The revised directive was created with the aim of guaranteeing secure and safe access to customer financial information by third-party service providers, and to reduce fraudulent activities.
In Europe, the PSD2 directive is supplemented by the Regulatory Technical Standards (RTS), which are key to helping achieve the PSD2 objectives of enhancing consumer protection, promoting innovation and improving the security of payment services.
PSD2 strong customer authentication regulation
As a main purpose of PSD2 is reducing fraud and improving consumer protection, the regulation forced the implementation of strong customer authentication (SCA) in all European e-commerce transactions. SCA has the goal of reducing payment fraud without neglecting the customer experience. It aims to achieve that by avoiding introducing complicated steps into the payment process.
The solution presented itself as two-factor authentication (2FA), where customers need to provide two independent pieces of information to confirm their identity. These pieces of information can be organised in three categories:
- Something they own (e.g., smartphone)
- Something they know (e.g., PIN code)
- Something they are (e.g., fingerprint)
In specific situations some transactions might be exempt from authentication, such as low-value and recurring transactions. Another situation could be when a customer decides to “whitelist” the merchant, confirming that they don’t wish to be authenticated for future transactions.
PSD2 regulation — PayPal
Being one of the largest payment initiation service providers in Europe, PayPal needed to guarantee compliance with PSD2, especially in regard to SCA. To make sure that the identity of the customer is confirmed before accepting an online payment from anyone in Europe, PayPal enforced a 2FA process.
As stated on their official PSD2 page, PayPal started to apply 2FA every time a customer makes a payment and access or makes changes to the account.
As per the SCA regulation, PayPal became compliant with PSD2 by processing customer authentication through 2 out of 3 types of authentication:
- Knowledge: something only the customer would know, like a password
- Possession: something only the customer has, like a one-time code generated by SMS or a trusted device
- Inherence: something that is unique to the customer, such as a fingerprint or voice
PayPal states that most of the time it is possible to login or pay by just entering login details, but that is not the case. Since the beginning of 2021, every time a customer wants to access their account (specially on a smartphone), they will be asked to complete the two-factor authentication process.
Is open banking free?
Sadly, the answer is not as clear as it should be. Depending on which side of the concept we are looking at, open banking is theoretically free, but not in practice.
With the implementation of the PSD2 regulation, banks were forced to develop APIs to facilitate access to their customers' banking data. But, these APIs can only be accessed by authorised account information service providers (AISPs), account servicing payment service providers (ASPSPs), payment initiation service providers (PISPs) and payment service providers (PSPs).
Even though authorised third-party providers get free access to a bank open banking API, their services were, until now, only paid services.
Nordigen’s free API and PSD2
Being an authorised AISP regulated by the Financial and Capital Market Commission of Latvia and authorised in 31 European countries, Nordigen is the first (and only) AISP to make its API totally free forever.
Access to open banking data in Europe is free, and Nordigen believes that it should be free for everyone, not only for some. With that in mind, we offer free access to personal and business banking data using only PSD2-compliant connections.
Nordigen’s free API connects to more than 1,000 banks in Europe, helping FinTech companies develop new services and technologies. The raw data obtained from said API might be overwhelming for business use, which is why Nordigen developed a set of premium services, including:
- Transaction Categorisation
- Income Insights
- Loan Insights
- Risk Insights
- Simple Score
- Credit Scores
- Library with up to 1 million Machine Learning features