PSD2 RTS (Regulatory Technical Standards)


What is PSD2?

The revised payment services directive, or PSD2, was developed to even the playing field and increase cooperation and collaboration between fintechs and traditional banks. This revised directive was base on the original PSD1 adopted in 2007, which provided the legal framework for a single market for payments in the EU.

The main benefits of the revised directive are increased consumer rights, improved security and permission for third parties to access payment account information.

What are Regulatory Technical Standards (RTS)

Regulatory technical standards (RTS) are a set of technical compliance standards that, once endorsed by the European Commission (EC), need to be met by all parties. They were draft and implemented by the European Banking Authority and have the goal to establish minimum conditions that need to be met for businesses to be compliant with the revised payment services directive (PSD2).

PSD2 RTS, what is the co-relation?

Regarding specifically PSD2, RTS focused on define specific security measures, and to ensure effective and secure communication. PSD2 RTS are for strong customer authentication (SCA) and common and secure open standards of communication (CSC).

In the PSD2 legislative, this security measures were only mentioned superficially, creating the need to draft a more specific and clear set of standards to guarantee compliance.

What is SCA and when does it need to be applied

Strong Customer Authentication (SCA) is an authentication based on the use of two or more elements categorized as:

  • Knowledge (something only the user knows [for example, a password])
  • Possession (something only the user possesses [for example, a particular mobile phone and number])
  • Inherence (something the user is [or has, for example, a fingerprint or iris pattern])

The basic principle of SCA is to ensure customer protection via an increased level of security of electronic payments.

SCA needs to be applied when a customer accesses their bank account online, including situations where is presented an aggregated view of various accounts, when making an online payment and when using any remote channel which may present a risk of payment fraud.

On top of the customer authentication, it is added an extra layer of security by generate a unique code that links the transaction to a specific amount and a specific payee.

Although payment service providers and account information providers need to implement the use of SCA to be PSD2 compliant, there are a few cases where there is exemption to SCA application:

  • Remote payments (online and mobile) of low value (up to €30)
  • Exceptions:
  • When a cumulative value of €100 is reached
  • When 5 payments of up to €30 have been made
  • Contactless card payments up to €50
  • Exceptions:
  • When a cumulative value of €150 is reached
  • When 5 contactless payments of up to €50 have been made
  • At unattended payment terminals for transport fares and parking fees
  • Online transactions towards a trusted beneficiary
  • For corporate payments if dedicated payment processes and protocols are used
  • When the online payment account is consulted, SCA is needed only the first time and every 90 days

It is important to highlight that the payment service providers (PSPs) have the responsibility of SCA application when needed. According to PSD2, a payer can claim full reimbursement from their PSP in case of an unauthorised payment if there was no SCA measure in place.

What is CSC?

Common and secure communication (CSC) standards were specified in the RTS draft to ensure that the communication made between banks and regulated third party providers (TPP) happen through secure messaging.

According to these standards, banks have to develop a communication channel that allows TPP to access needed data securely. Also, these communication channels enable both the banks and TPP to identify each other when accessing customer data.

With the implementation of RTS and its CSC standards, TTP are no longer allowed to access customer data through the use of “screen scraping”. However, to facilitate the transition, some exceptions were put in place during a transitional period.

Transaction risk analysis on RTS

In the final version of RTS, the transaction risk analysis was one of the more interesting aspects covered. Even though banks and service providers do it on a daily basis, the RTS specified very detailed requirements that need to be met.

With its implementation, risk analysis has become an essential requirement which have a basic minimum threshold across the EU, resulting in a more levelled playing filed and a broader choice for customers.

The European Banking Authority (EBA) also have access to the results of these risk analyses and fraud rates, meaning that the focus will not be exclusively on financial health, but also on cybersecurity.

Regulatory Technical Standards SFDR

Sustainable Finance Disclosure Regulation (SFDR) was meant to come into effect from March 10th, 2021, but the European Commission (EC) have decided that the new regulation could not be adopted within the timeframe previously anticipated.

SFDR was created to ensure that any business providing financial services and products are comprehensively disclosing just how committed they are to sustainability.

One of the key parts of this directive is to prevent “greenwashing”, which is the practice by financial firms of exaggerating their environmental commitments on paper, without their application in practice.

MiFID 2 Regulatory Technical Standards

The revised version of the original Markets In Financial Instruments Directive (MiFID 2) rolled out on January 3, 2018, to regulate financial markets and improve protections for investors.

MiFID II is a legislative framework instituted by the European Union (EU), with the aim to standardize practices across the EU and restore confidence in the industry.

This is the legislative framework used as legal basis on the RTS.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.